Syslog Logs

Connecting Syslog logs to your Panther Console

Overview

Panther supports ingesting Syslog logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Syslog logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for the log type you want to onboard, then click its tile.

  4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Configure Syslog to push logs to the Data Transport source.

    • Consult your Syslog documentation for guidance on pushing logs to the Data Transport source of your choice.

Implementing Syslog onboarding is contingent upon the use of a log forwarder.

Supported log types

Required fields in all tables are in bold.

Syslog.RFC3164

Syslog parser for the RFC3164 format (ie. BSD-syslog messages)

Reference: Syslog Documentation on RFC3164 BSD Protocol.

schema: Syslog.RFC3164
description: Syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://tools.ietf.org/html/rfc3164
fields:
    - name: priority
      required: true
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: facility
      required: true
      description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.'
      type: smallint
    - name: severity
      required: true
      description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.'
      type: smallint
    - name: timestamp
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - rfc3339
        - '%b  %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: appname
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: procid
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: string
    - name: msgid
      description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
      type: string
    - name: message
      description: Message contains free-form text that provides information about the event.
      type: string

Syslog.RFC5424

Syslog parser for the RFC5424 format.

Reference: Syslog Documentation on RFC5424 Protocol.

schema: Syslog.RFC5424
description: Syslog parser for the RFC5424 format.
referenceURL: https://tools.ietf.org/html/rfc5424
fields:
    - name: priority
      required: true
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: facility
      required: true
      description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.'
      type: smallint
    - name: severity
      required: true
      description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.'
      type: smallint
    - name: version
      required: true
      description: Version of the syslog message protocol. RFC5424 mandates that version cannot be 0, so a 0 value signals no version.
      type: int
    - name: timestamp
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: hostname
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: appname
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: procid
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: string
    - name: msgid
      description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
      type: string
    - name: structured_data
      description: StructuredData provides a mechanism to express information in a well defined and easily parsable format.
      type: json
    - name: message
      description: Message contains free-form text that provides information about the event.
      type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated