Syslog Logs
Connecting Syslog logs to your Panther Console
Last updated
Was this helpful?
Connecting Syslog logs to your Panther Console
Last updated
Was this helpful?
Panther supports ingesting Syslog logs via common options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Syslog to push logs to the Data Transport source.
Consult your Syslog documentation for guidance on pushing logs to the Data Transport source of your choice.
Syslog parser for the RFC3164 format (ie. BSD-syslog messages)
Column
Type
Description
priority
smallint
Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
facility
smallint
Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.
severity
smallint
Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.
timestamp
timestamp
Timestamp of the syslog message in UTC.
hostname
string
Hostname identifies the machine that originally sent the syslog message.
appname
string
Appname identifies the device or application that originated the syslog message.
procid
string
ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
msgid
string
MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
message
string
Message contains free-form text that provides information about the event.
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row
Syslog parser for the RFC5424 format.
Column
Type
Description
priority
smallint
Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
facility
smallint
Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.
severity
smallint
Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.
version
int
Version of the syslog message protocol. RFC5424 mandates that version cannot be 0, so a 0 value signals no version.
timestamp
timestamp
Timestamp of the syslog message in UTC.
hostname
string
Hostname identifies the machine that originally sent the syslog message.
appname
string
Appname identifies the device or application that originated the syslog message.
procid
string
ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
msgid
string
MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
structured_data
{ string:{ string:string } }
StructuredData provides a mechanism to express information in a well defined and easily parsable format.
message
string
Message contains free-form text that provides information about the event.
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row
Reference:
Reference: