Knowledge BaseRelease NotesRequest Demo

Tailscale Logs

Panther supports receiving Tailscale logs directly via webhook

Overview

Panther ingests Tailscale configuration audit and network flow logs by configuring Tailscale Log Streaming to post events to a Panther HTTP source.

To use log streaming in Tailscale, which is required to ingest Tailscale logs into Panther, you must have an Enterprise Tailscale plan.

How to onboard Tailscale logs to Panther

To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint.

Prerequisites

  • In order to successfully complete this process, your Tailscale user must have one of the following roles: Owner, Admin, Network admin, or IT admin.

  • Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source.

Step 1: Create a new Tailscale log source in Panther

  1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Tailscale,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

  4. Click Start Setup. The Tailscale log source setup page is shown. In the upper-right corner, there is a "Transport Mechanism" dropdown field, with "HTTP" selected. To its right is a "Start Setup" button.

  5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

    • You will be required to use Bearer authentication. This is the method of authentication Tailscale supports for integrating with Panther.

    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new Log Stream in Tailscale

  1. Log in to your Tailscale admin console.

  2. In the navigation bar at the top of the screen, click Logs.

  3. Under Configuration logs, click Start streaming.

  4. Under Select a destination, select Panther, then provide values for the following fields:

    • URL: Enter your HTTP Source URL from Step 1.

    • Token: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."

  5. Click Start streaming.

Supported Log Types

Tailscale.Audit

Tailscale.Network

PreviousSyslog LogsNextTeleport Logs

Last updated

Was this helpful?