Tailscale Logs (Beta)

Panther supports receiving Tailscale logs directly via webhook

Overview

Tailscale log ingestion is in open beta starting with Panther version 1.74. Please share any bug reports and feature requests with your Panther support team.

Panther ingests Tailscale configuration audit and network flow logs by configuring Tailscale Log Streaming to post events to a Panther HTTP source.

How to onboard Tailscale logs to Panther

To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint.

Prerequisites

  • In order to successfully complete this process, your Tailscale user must have one of the following roles: Owner, Admin, Network admin, or IT admin.

  • Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source.

Step 1: Create a new Tailscale log source in Panther

  1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Tailscale,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

  4. Click Start Setup.

  5. Follow Panther's instructions for configuring an HTTP Source.

    • You will be required to use Bearer authentication. This is the method of authentication Tailscale supports for integrating with Panther.

Step 2: Create a new Log Stream in Tailscale

  1. Log in to your Tailscale admin console.

  2. In the navigation bar at the top of the screen, click Logs.

  3. Under Configuration logs, click Start streaming.

  4. Under Select a destination, select Panther, then provide values for the following fields:

    • URL: Enter your HTTP Source URL from Step 1.

    • Token: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."

  5. Click Start streaming.

Supported Log Types

Required fields in the schema are listed as "required: true"

Tailscale.Audit

schema: Tailscale.Audit
description: Event logs from Tailscale Audit Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streaming
fields:
  - name: time
    required: true
    description: Timestamp of when the event was generated on the Tailscale control server
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: event
    required: true
    description: Collection of fields related to the log event
    type: object
    fields:
      - name: deferredAt
        description: Timestamp of when a rate-limited event was enqueued to be logged at a later time
        type: timestamp
        timeFormats:
          - rfc3339
      - name: eventGroupID
        description: Opaque identifier assigned to one or more audit events that occurred atomically
        type: string
      - name: origin
        required: true
        description: The initiator of the action that generated the event
        type: string
      - name: actor
        required: true
        description: The person who caused the action
        type: object
        fields:
          - name: id
            description: Actor's identifier
            type: string
            indicators:
              - actor_id
          - name: type
            description: Type of actor
            type: string
          - name: loginName
            description: Actor's login name
            type: string
            indicators:
              - email
          - name: displayName
            type: string
          - name: tags
            type: array
            element:
              type: string
      - name: target
        required: true
        description: The object of this event's action
        type: object
        fields:
          - name: id
            description: ID of the target
            type: string
          - name: name
            description: Name of the target
            type: string
          - name: type
            description: Type of target
            type: string
          - name: property
            description: Property changed in the target
            type: string
      - name: action
        required: true
        description: Type of action performed against the target
        type: string
      - name: old
        description: The old value prior to the event
        type: json
      - name: new
        description: The new value after the event
        type: json
      - name: actionDetails
        description: Additional information about the event
        type: string
      - name: error
        description: Reason why the action failed to complete
        type: string
  - name: fields
    description: Object containing additional recorded field data
    type: object
    fields:
      - name: recorded
        description: Timestamp of when the event was recorded by Tailscale's logging service
        type: timestamp
        timeFormats:
          - rfc3339

Tailscale.Network

schema: Tailscale.Network
description: Event logs from Tailscale Network Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#network-flow-log-streaming
fields:
  - name: time
    required: true
    description: Timestamp of when the event was generated on a Tailscale client
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: event
    required: true
    description: Main event object containing multiple sub-fields
    type: object
    fields:
      - name: nodeId
        description: ID associated with the node in the tailnet
        type: string
      - name: start
        description: Starting timestamp of window for network statistics (inclusive)
        type: timestamp
        timeFormats:
          - rfc3339
      - name: end
        type: timestamp
        description: Ending timestamp of window for network statistics (inclusive)
        timeFormats:
          - rfc3339
      - name: virtualTraffic
        description: Connection statistics for node to node traffic within a tailnet
        type: json
      - name: subnetTraffic
        description: Connection statistics for node to external traffic on a subnet route
        type: json
      - name: exitTraffic
        description: Aggregated connection statistics for traffic through an exit node
        type: json
      - name: physicalTraffic
        description: Connection statistics for traffic at the physical layer
        type: json
  - name: fields
    description: Object containing additional recorded field data
    type: object
    fields:
      - name: recorded
        description: Timestamp of when the event was recorded by Tailscale's logging service
        type: timestamp
        timeFormats:
          - rfc3339

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated