Knowledge BaseCommunityRelease NotesRequest Demo

Fluentd Logs

Connecting Fluentd logs to your Panther Console

Overview

Panther supports ingesting Fluentd logs via common Data Transport options: HTTP Source, Amazon Web Services (AWS) S3 and SQS.

How to onboard Fluentd logs to Panther

To connect these logs into Panther:

  1. In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Fluentd", then click its tile.

  4. In the slide-out panel, select the Transport Mechanism you wish to use for this integration.

  5. Click Start Setup.

  6. Follow Panther's instructions for configuring your chosen Data Transport method:

  7. Configure Fluentd to push logs to the Data Transport source.

    • See Fluentd's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Fluentd.Syslog3164

Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)

For more information, see the Fluentd Documentation on Syslog RFC-3164 Parser.

schema: Fluentd.Syslog3164
description: Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc3164-log
fields:
    - name: pri
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: host
      required: true
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: ident
      required: true
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: pid
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: bigint
    - name: message
      required: true
      description: Message contains free-form text that provides information about the event.
      type: string
    - name: time
      required: true
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S %z'
      isEventTime: true
    - name: tag
      required: true
      description: Tag of the syslog message
      type: string

Fluentd.Syslog5424

Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)

For more information, see the Fluentd Documentation for Syslog RFC-5424 Parser.

schema: Fluentd.Syslog5424
description: Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc5424-log
fields:
    - name: pri
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: host
      required: true
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: ident
      required: true
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: pid
      required: true
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: bigint
    - name: msgid
      required: true
      description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
      type: string
    - name: extradata
      required: true
      description: ExtraData contains syslog structured data as string
      type: string
    - name: message
      required: true
      description: Message contains free-form text that provides information about the event.
      type: string
    - name: time
      required: true
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S %z'
      isEventTime: true
    - name: tag
      required: true
      description: Tag of the syslog message
      type: string
PreviousFastly LogsNextGCP Logs

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated