# Tailscale Logs (Beta) ## Overview {% hint style="info" %} Tailscale log ingestion is in open beta starting with Panther version 1.74. Please share any bug reports and feature requests with your Panther support team. {% endhint %} Panther ingests Tailscale [configuration audit](https://tailscale.com/kb/1203/audit-logging/) and [network flow](https://tailscale.com/kb/1219/network-flow-logs/) logs by configuring [Tailscale Log Streaming](https://tailscale.com/kb/1255/log-streaming/) to post events to a Panther [HTTP source](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/http). {% hint style="warning" %} To use [log streaming](https://tailscale.com/kb/1255/log-streaming/) in Tailscale, which is required to ingest Tailscale logs into Panther, you must have an [Enterprise Tailscale plan](https://tailscale.com/pricing/). {% endhint %} ## How to onboard Tailscale logs to Panther To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint. ### Prerequisites * In order to successfully complete this process, your Tailscale user must have one of the following roles: [Owner, Admin, Network admin, or IT admin](https://tailscale.com/kb/1138/user-roles/). * Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source. ### Step 1: Create a new Tailscale log source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Tailscale,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.\ ![The Tailscale log source setup page is shown. In the upper-right corner, there is a "Transport Mechanism" dropdown field, with "HTTP" selected. To its right is a "Start Setup" button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FwAykJgTl7TLyW2Y3SSrL%2FScreenshot%202023-06-28%20at%2010.34.26%20AM.png?alt=media\&token=b409412d-3bbd-403c-8d3f-57ca4e9157a1) 5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/http). * You will be required to use [Bearer authentication](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-transports/http#bearer). This is the method of authentication Tailscale supports for integrating with Panther. ### Step 2: Create a new Log Stream in Tailscale 1. Log in to your Tailscale admin console. 2. In the navigation bar at the top of the screen, click **Logs**. 3. Under **Configuration logs**, click **Start streaming**. 4. Under **Select a destination**, select **Panther**, then provide values for the following fields: * **URL**: Enter your HTTP Source URL from Step 1. * **Token**: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Ff04B6VUjUsuilrpog3DM%2Fimage.png?alt=media\&token=f1943d9a-380f-4455-b6aa-b5c29de847c6) 5. Click **Start streaming**. ## Supported Log Types {% hint style="info" %} Required fields in the schema are listed as **"required: true"** {% endhint %} ### **Tailscale.Audit** ```yaml schema: Tailscale.Audit description: Event logs from Tailscale Audit Log Stream referenceURL: https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streaming fields: - name: time required: true description: Timestamp of when the event was generated on the Tailscale control server type: timestamp timeFormats: - unix isEventTime: true - name: event required: true description: Collection of fields related to the log event type: object fields: - name: deferredAt description: Timestamp of when a rate-limited event was enqueued to be logged at a later time type: timestamp timeFormats: - rfc3339 - name: eventGroupID description: Opaque identifier assigned to one or more audit events that occurred atomically type: string - name: origin required: true description: The initiator of the action that generated the event type: string - name: actor required: true description: The person who caused the action type: object fields: - name: id description: Actor's identifier type: string indicators: - actor_id - name: type description: Type of actor type: string - name: loginName description: Actor's login name type: string indicators: - email - name: displayName type: string - name: tags type: array element: type: string - name: target required: true description: The object of this event's action type: object fields: - name: id description: ID of the target type: string - name: name description: Name of the target type: string - name: type description: Type of target type: string - name: property description: Property changed in the target type: string - name: action required: true description: Type of action performed against the target type: string - name: old description: The old value prior to the event type: json - name: new description: The new value after the event type: json - name: actionDetails description: Additional information about the event type: string - name: error description: Reason why the action failed to complete type: string - name: fields description: Object containing additional recorded field data type: object fields: - name: recorded description: Timestamp of when the event was recorded by Tailscale's logging service type: timestamp timeFormats: - rfc3339 ``` ### Tailscale.Network ```yaml schema: Tailscale.Network description: Event logs from Tailscale Network Log Stream referenceURL: https://tailscale.com/kb/1255/log-streaming/#network-flow-log-streaming fields: - name: time required: true description: Timestamp of when the event was generated on a Tailscale client type: timestamp timeFormats: - unix isEventTime: true - name: event required: true description: Main event object containing multiple sub-fields type: object fields: - name: nodeId description: ID associated with the node in the tailnet type: string - name: start description: Starting timestamp of window for network statistics (inclusive) type: timestamp timeFormats: - rfc3339 - name: end type: timestamp description: Ending timestamp of window for network statistics (inclusive) timeFormats: - rfc3339 - name: virtualTraffic description: Connection statistics for node to node traffic within a tailnet type: json - name: subnetTraffic description: Connection statistics for node to external traffic on a subnet route type: json - name: exitTraffic description: Aggregated connection statistics for traffic through an exit node type: json - name: physicalTraffic description: Connection statistics for traffic at the physical layer type: json - name: fields description: Object containing additional recorded field data type: object fields: - name: recorded description: Timestamp of when the event was recorded by Tailscale's logging service type: timestamp timeFormats: - rfc3339 ```