To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint.
Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source.
Step 1: Create a new Tailscale log source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Tailscale,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create a new Log Stream in Tailscale
Log in to your Tailscale admin console.
In the navigation bar at the top of the screen, click Logs.
Under Configuration logs, click Start streaming.
Under Select a destination, select Panther, then provide values for the following fields:
URL: Enter your HTTP Source URL from Step 1.
Click Start streaming.
Supported Log Types
Tailscale.Audit
schema:Tailscale.Auditdescription:Event logs from Tailscale Audit Log StreamreferenceURL:https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streamingfields: - name:timerequired:truedescription:Timestamp of when the event was generated on the Tailscale control servertype:timestamptimeFormats: - unixisEventTime:true - name:eventrequired:truedescription:Collection of fields related to the log eventtype:objectfields: - name:deferredAtdescription:Timestamp of when a rate-limited event was enqueued to be logged at a later timetype:timestamptimeFormats: - rfc3339 - name:eventGroupIDdescription:Opaque identifier assigned to one or more audit events that occurred atomicallytype:string - name:originrequired:truedescription:The initiator of the action that generated the eventtype:string - name:actorrequired:truedescription:The person who caused the actiontype:objectfields: - name:iddescription:Actor's identifiertype:stringindicators: - actor_id - name:typedescription:Type of actortype:string - name:loginNamedescription:Actor's login nametype:stringindicators: - email - name:displayNametype:string - name:tagstype:arrayelement:type:string - name:targetrequired:truedescription:The object of this event's actiontype:objectfields: - name:iddescription:ID of the targettype:string - name:namedescription:Name of the targettype:string - name:typedescription:Type of targettype:string - name:propertydescription:Property changed in the targettype:string - name:actionrequired:truedescription:Type of action performed against the targettype:string - name:olddescription:The old value prior to the eventtype:json - name:newdescription:The new value after the eventtype:json - name:actionDetailsdescription:Additional information about the eventtype:string - name:errordescription:Reason why the action failed to completetype:string - name:fieldsdescription:Object containing additional recorded field datatype:objectfields: - name:recordeddescription:Timestamp of when the event was recorded by Tailscale's logging servicetype:timestamptimeFormats: - rfc3339
Tailscale.Network
schema:Tailscale.Networkdescription:Event logs from Tailscale Network Log StreamreferenceURL:https://tailscale.com/kb/1255/log-streaming/#network-flow-log-streamingfields: - name:timerequired:truedescription:Timestamp of when the event was generated on a Tailscale clienttype:timestamptimeFormats: - unixisEventTime:true - name:eventrequired:truedescription:Main event object containing multiple sub-fieldstype:objectfields: - name:nodeIddescription:ID associated with the node in the tailnettype:string - name:startdescription:Starting timestamp of window for network statistics (inclusive)type:timestamptimeFormats: - rfc3339 - name:enddescription:Ending timestamp of window for network statistics (inclusive)type:timestamptimeFormats: - rfc3339 - name:virtualTrafficdescription:Connection statistics for node to node traffic within a tailnettype:arrayelement:type:objectfields: - name:protodescription:Internal Protocol numbertype:bigint - name:srcdescription:The source IP address and porttype:string - name:srcIpdescription:The source IP addresstype:stringindicators: - ip - name:srcPortdescription:The source porttype:bigint - name:dstdescription:The destination IP address and porttype:string - name:dstIpdescription:The destination IP addresstype:stringindicators: - ip - name:dstPortdescription:The destination porttype:bigint - name:txPktsdescription:Number of packets transmitted within the windowtype:bigint - name:txBytesdescription:Number of bytes transmitted within the windowtype:bigint - name:rxPktsdescription:Number of packets received within the windowtype:bigint - name:rxBytesdescription:Number of bytes received within the windowtype:bigint - name:subnetTrafficdescription:Connection statistics for node to external traffic on a subnet routetype:arrayelement:type:objectfields: - name:protodescription:Internal Protocol numbertype:bigint - name:srcdescription:The source IP address and porttype:string - name:srcIpdescription:The source IP addresstype:stringindicators: - ip - name:srcPortdescription:The source porttype:bigint - name:dstdescription:The destination IP address and porttype:string - name:dstIpdescription:The destination IP addresstype:stringindicators: - ip - name:dstPortdescription:The destination porttype:bigint - name:txPktsdescription:Number of packets transmitted within the windowtype:bigint - name:txBytesdescription:Number of bytes transmitted within the windowtype:bigint - name:rxPktsdescription:Number of packets received within the windowtype:bigint - name:rxBytesdescription:Number of bytes received within the windowtype:bigint - name:exitTrafficdescription:Aggregated connection statistics for traffic through an exit nodetype:arrayelement:type:objectfields: - name:protodescription:Internal Protocol numbertype:bigint - name:srcdescription:The source IP address and porttype:string - name:srcIpdescription:The source IP addresstype:stringindicators: - ip - name:srcPortdescription:The source porttype:bigint - name:dstdescription:The destination IP address and porttype:string - name:dstIpdescription:The destination IP addresstype:stringindicators: - ip - name:dstPortdescription:The destination porttype:bigint - name:txPktsdescription:Number of packets transmitted within the windowtype:bigint - name:txBytesdescription:Number of bytes transmitted within the windowtype:bigint - name:rxPktsdescription:Number of packets received within the windowtype:bigint - name:rxBytesdescription:Number of bytes received within the windowtype:bigint - name:physicalTrafficdescription:Connection statistics for traffic at the physical layertype:arrayelement:type:objectfields: - name:protodescription:Internal Protocol numbertype:bigint - name:srcdescription:The source IP address and porttype:string - name:srcIpdescription:The source IP addresstype:stringindicators: - ip - name:srcPortdescription:The source porttype:bigint - name:dstdescription:The destination IP address and porttype:string - name:dstIpdescription:The destination IP addresstype:stringindicators: - ip - name:dstPortdescription:The destination porttype:bigint - name:txPktsdescription:Number of packets transmitted within the windowtype:bigint - name:txBytesdescription:Number of bytes transmitted within the windowtype:bigint - name:rxPktsdescription:Number of packets received within the windowtype:bigint - name:rxBytesdescription:Number of bytes received within the windowtype:bigint - name:fieldsdescription:Object containing additional recorded field datatype:objectfields: - name:recordeddescription:Timestamp of when the event was recorded by Tailscale's logging servicetype:timestamptimeFormats: - rfc3339
Token: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."
