# Jamf Pro Logs

## Overview

Panther supports ingesting Jamf Pro logs via Amazon Web Services (AWS) S3 as a [Data Transport](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports).

{% hint style="info" %}
**Note:** A [Jamf Premium Cloud add-on](https://resources.jamf.com/documents/products/documentation/jamf-premium-cloud.pdf) is required to connect Jamf Pro logs to Panther.
{% endhint %}

## How to onboard Jamf Pro logs to Panther

To connect these logs into Panther:

1. In the left-hand navigation bar of your Panther Console, click **Configure > Log Sources**.
2. Click **Create New**.
3. Select JAMF Pro from the list of available log sources. Click **Start Setup**.
   * AWS S3 bucket is automatically selected as the Transport Mechanism because it is the only supported Transport Mechanism for this log type.&#x20;
   * Before proceeding, please follow Panther’s documentation for configuring the Data Transport option via an [AWS S3 bucket](https://docs.panther.com/data-onboarding/data-transports/s3).
4. Configure JAMF Pro to push logs to the Data Transport source.
   * See [JAMF's documentation](https://learn.jamf.com/bundle/technical-articles/page/Jamf_Cloud_Overview_and_FAQ.html) for instructions on how to push logs to a S3 bucket that's configured to allow Panther to read from.&#x20;

## Supported log types

{% hint style="info" %}
Required fields in the schema are listed as **"required: true"**  just below the "name" field.
{% endhint %}

### Jamfpro.Login

Login events into Jamf Pro itself.

Reference: [Jamf Documentation on Event Logs](https://docs.jamf.com/10.35.0/jamf-pro/documentation/Event_Logs.html).

```yaml
fields:
  - name: ipAddress
    type: string
    description: IP Address that started the request
    indicators:
      - ip
  - name: username
    required: true
    description: Username of the account
    indicators:
      - username
    type: string
  - name: status
    required: true
    type: string
    description: The status of the login request
  - name: entryPoint
    required: true
    type: string
    description: The method used to login. Either Single Sign On, Universal API or Unknown
  - name: timestamp
    required: true
    type: timestamp
    description: Login timestamp
    isEventTime: true
    timeFormat: '%Y-%m-%dT%H:%M:%S,%f'
```