Tailscale Logs (Beta)
Panther supports receiving Tailscale logs directly via webhook
Overview
Panther ingests Tailscale configuration audit and network flow logs by configuring Tailscale Log Streaming to post events to a Panther HTTP source.
To use log streaming in Tailscale, which is required to ingest Tailscale logs into Panther, you must have an Enterprise Tailscale plan.
How to onboard Tailscale logs to Panther
To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint.
Prerequisites
In order to successfully complete this process, your Tailscale user must have one of the following roles: Owner, Admin, Network admin, or IT admin.
Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source.
Step 1: Create a new Tailscale log source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Tailscale,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source.
You will be required to use Bearer authentication. This is the method of authentication Tailscale supports for integrating with Panther.
Step 2: Create a new Log Stream in Tailscale
Log in to your Tailscale admin console.
In the navigation bar at the top of the screen, click Logs.
Under Configuration logs, click Start streaming.
Under Select a destination, select Panther, then provide values for the following fields:
URL: Enter your HTTP Source URL from Step 1.
Token: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."
Click Start streaming.
Supported Log Types
Tailscale.Audit
schema: Tailscale.Audit
description: Event logs from Tailscale Audit Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streaming
fields:
- name: time
required: true
description: Timestamp of when the event was generated on the Tailscale control server
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: event
required: true
description: Collection of fields related to the log event
type: object
fields:
- name: deferredAt
description: Timestamp of when a rate-limited event was enqueued to be logged at a later time
type: timestamp
timeFormats:
- rfc3339
- name: eventGroupID
description: Opaque identifier assigned to one or more audit events that occurred atomically
type: string
- name: origin
required: true
description: The initiator of the action that generated the event
type: string
- name: actor
required: true
description: The person who caused the action
type: object
fields:
- name: id
description: Actor's identifier
type: string
indicators:
- actor_id
- name: type
description: Type of actor
type: string
- name: loginName
description: Actor's login name
type: string
indicators:
- email
- name: displayName
type: string
- name: tags
type: array
element:
type: string
- name: target
required: true
description: The object of this event's action
type: object
fields:
- name: id
description: ID of the target
type: string
- name: name
description: Name of the target
type: string
- name: type
description: Type of target
type: string
- name: property
description: Property changed in the target
type: string
- name: action
required: true
description: Type of action performed against the target
type: string
- name: old
description: The old value prior to the event
type: json
- name: new
description: The new value after the event
type: json
- name: actionDetails
description: Additional information about the event
type: string
- name: error
description: Reason why the action failed to complete
type: string
- name: fields
description: Object containing additional recorded field data
type: object
fields:
- name: recorded
description: Timestamp of when the event was recorded by Tailscale's logging service
type: timestamp
timeFormats:
- rfc3339Tailscale.Network
schema: Tailscale.Network
description: Event logs from Tailscale Network Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#network-flow-log-streaming
fields:
- name: time
required: true
description: Timestamp of when the event was generated on a Tailscale client
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: event
required: true
description: Main event object containing multiple sub-fields
type: object
fields:
- name: nodeId
description: ID associated with the node in the tailnet
type: string
- name: start
description: Starting timestamp of window for network statistics (inclusive)
type: timestamp
timeFormats:
- rfc3339
- name: end
type: timestamp
description: Ending timestamp of window for network statistics (inclusive)
timeFormats:
- rfc3339
- name: virtualTraffic
description: Connection statistics for node to node traffic within a tailnet
type: json
- name: subnetTraffic
description: Connection statistics for node to external traffic on a subnet route
type: json
- name: exitTraffic
description: Aggregated connection statistics for traffic through an exit node
type: json
- name: physicalTraffic
description: Connection statistics for traffic at the physical layer
type: json
- name: fields
description: Object containing additional recorded field data
type: object
fields:
- name: recorded
description: Timestamp of when the event was recorded by Tailscale's logging service
type: timestamp
timeFormats:
- rfc3339Last updated
Was this helpful?