Windows Event Logs
Stream Windows Event Logs directly to Panther over HTTPS
Last updated
Was this helpful?
Stream Windows Event Logs directly to Panther over HTTPS
Last updated
Was this helpful?
Panther supports ingesting Windows Event Logs through an , after they are forwarded with
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Windows Event Logs,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's , beginning at Step 5.
When setting the Auth method for the source, we recommend using .
Payloads sent to this source are subject to the .
After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.
You must use winevtlog
. Other modules are deprecated and will not work.
If you are using Windows Server 2012, Use_ANSI True
may be required.
If in Step 1 you chose JSON as your HTTP Source's Stream Type, in the OUTPUT
section, provide Format
a value of json_lines
.
Start Fluent Bit, passing the path to your new config file.
Configure the following in your Fluent Bit configuration file:
[INPUT]
variables:
Channels: Set this to System,Security
[OUTPUT]
variables:
Host: Enter your Panther URL.
Example: logs.instance-name.runpanther.net
URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/
.
Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Name: Set to http
.
TLS: Set to ON
.
Port: Set to 443
.
Follow the to install Fluent Bit as a service.
Create a . See the for instructions on configuring System and Security log streaming or Sysmon log streaming.
To run Fluent Bit as a Daemon every time the machine starts, follow the .
Configure sysmon.exe
following the .