Links

Tailscale Logs

Panther supports receiving Tailscale logs directly via webhook

Overview

Panther ingests Tailscale configuration audit and network flow logs by configuring Tailscale Log Streaming to post events to a Panther HTTP source.
To use log streaming in Tailscale, which is required to ingest Tailscale logs into Panther, you must have an Enterprise Tailscale plan.

How to onboard Tailscale logs to Panther

To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint.

Prerequisites

  • In order to successfully complete this process, your Tailscale user must have one of the following roles: Owner, Admin, Network admin, or IT admin.
  • Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source.

Step 1: Create a new Tailscale log source in Panther

  1. 1.
    In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for “Tailscale,” then click its tile.
    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
  4. 4.
    Click Start Setup.
    The Tailscale log source setup page is shown. In the upper-right corner, there is a "Transport Mechanism" dropdown field, with "HTTP" selected. To its right is a "Start Setup" button.
  5. 5.
    Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
    • You will be required to use Bearer authentication. This is the method of authentication Tailscale supports for integrating with Panther.
    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.
    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new Log Stream in Tailscale

  1. 1.
    Log in to your Tailscale admin console.
  2. 2.
    In the navigation bar at the top of the screen, click Logs.
  3. 3.
    Under Configuration logs, click Start streaming.
  4. 4.
    Under Select a destination, select Panther, then provide values for the following fields:
    • URL: Enter your HTTP Source URL from Step 1.
    • Token: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."
  5. 5.
    Click Start streaming.

Supported Log Types

Tailscale.Audit

schema: Tailscale.Audit
description: Event logs from Tailscale Audit Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streaming
fields:
- name: time
required: true
description: Timestamp of when the event was generated on the Tailscale control server
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: event
required: true
description: Collection of fields related to the log event
type: object
fields:
- name: deferredAt
description: Timestamp of when a rate-limited event was enqueued to be logged at a later time
type: timestamp
timeFormats:
- rfc3339
- name: eventGroupID
description: Opaque identifier assigned to one or more audit events that occurred atomically
type: string
- name: origin
required: true
description: The initiator of the action that generated the event
type: string
- name: actor
required: true
description: The person who caused the action
type: object
fields:
- name: id
description: Actor's identifier
type: string
indicators:
- actor_id
- name: type
description: Type of actor
type: string
- name: loginName
description: Actor's login name
type: string
indicators:
- email
- name: displayName
type: string
- name: tags
type: array
element:
type: string
- name: target
required: true
description: The object of this event's action
type: object
fields:
- name: id
description: ID of the target
type: string
- name: name
description: Name of the target
type: string
- name: type
description: Type of target
type: string
- name: property
description: Property changed in the target
type: string
- name: action
required: true
description: Type of action performed against the target
type: string
- name: old
description: The old value prior to the event
type: json
- name: new
description: The new value after the event
type: json
- name: actionDetails
description: Additional information about the event
type: string
- name: error
description: Reason why the action failed to complete
type: string
- name: fields
description: Object containing additional recorded field data
type: object
fields:
- name: recorded
description: Timestamp of when the event was recorded by Tailscale's logging service
type: timestamp
timeFormats:
- rfc3339

Tailscale.Network

schema: Tailscale.Network
description: Event logs from Tailscale Network Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#network-flow-log-streaming
fields:
- name: time
required: true
description: Timestamp of when the event was generated on a Tailscale client
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: event
required: true
description: Main event object containing multiple sub-fields
type: object
fields:
- name: nodeId
description: ID associated with the node in the tailnet
type: string
- name: start
description: Starting timestamp of window for network statistics (inclusive)
type: timestamp
timeFormats:
- rfc3339
- name: end
description: Ending timestamp of window for network statistics (inclusive)
type: timestamp
timeFormats:
- rfc3339
- name: virtualTraffic
description: Connection statistics for node to node traffic within a tailnet
type: array
element:
type: object
fields:
- name: proto
description: Internal Protocol number
type: bigint
- name: src
description: The source IP address and port
type: string
- name: srcIp
description: The source IP address
type: string
indicators:
- ip
- name: srcPort
description: The source port
type: bigint
- name: dst
description: The destination IP address and port
type: string
- name: dstIp
description: The destination IP address
type: string
indicators:
- ip
- name: dstPort
description: The destination port
type: bigint
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: subnetTraffic
description: Connection statistics for node to external traffic on a subnet route
type: array
element:
type: object
fields:
- name: proto
description: Internal Protocol number
type: bigint
- name: src
description: The source IP address and port
type: string
- name: srcIp
description: The source IP address
type: string
indicators:
- ip
- name: srcPort
description: The source port
type: bigint
- name: dst
description: The destination IP address and port
type: string
- name: dstIp
description: The destination IP address
type: string
indicators:
- ip
- name: dstPort
description: The destination port
type: bigint
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: exitTraffic
description: Aggregated connection statistics for traffic through an exit node
type: array
element:
type: object
fields:
- name: proto
description: Internal Protocol number
type: bigint
- name: src
description: The source IP address and port
type: string
- name: srcIp
description: The source IP address
type: string
indicators:
- ip
- name: srcPort
description: The source port
type: bigint
- name: dst
description: The destination IP address and port
type: string
- name: dstIp
description: The destination IP address
type: string
indicators:
- ip
- name: dstPort
description: The destination port
type: bigint
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: physicalTraffic
description: Connection statistics for traffic at the physical layer
type: array
element:
type: object
fields:
- name: proto
description: Internal Protocol number
type: bigint
- name: src
description: The source IP address and port
type: string
- name: srcIp
description: The source IP address
type: string
indicators:
- ip
- name: srcPort
description: The source port
type: bigint
- name: dst
description: The destination IP address and port
type: string
- name: dstIp
description: The destination IP address
type: string
indicators:
- ip
- name: dstPort
description: The destination port
type: bigint
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: fields
description: Object containing additional recorded field data
type: object
fields:
- name: recorded
description: Timestamp of when the event was recorded by Tailscale's logging service
type: timestamp
timeFormats:
- rfc3339