Tailscale Logs
Panther supports receiving Tailscale logs directly via webhook
Overview
Panther ingests Tailscale configuration audit and network flow logs by configuring Tailscale Log Streaming to post events to a Panther HTTP source.
To use log streaming in Tailscale, which is required to ingest Tailscale logs into Panther, you must have an Enterprise Tailscale plan.
How to onboard Tailscale logs to Panther
To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint.
Prerequisites
In order to successfully complete this process, your Tailscale user must have one of the following roles: Owner, Admin, Network admin, or IT admin.
Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source.
Step 1: Create a new Tailscale log source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Tailscale,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
You will be required to use Bearer authentication. This is the method of authentication Tailscale supports for integrating with Panther.
Step 2: Create a new Log Stream in Tailscale
Log in to your Tailscale admin console.
In the navigation bar at the top of the screen, click Logs.
Under Configuration logs, click Start streaming.
Under Select a destination, select Panther, then provide values for the following fields:
URL: Enter your HTTP Source URL from Step 1.
Click Start streaming.
Supported Log Types
Required fields in the schema are listed as "required: true"
Tailscale.Audit
schema: Tailscale.Audit
description: Event logs from Tailscale Audit Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streaming
fields:
- name: time
required: true
description: Timestamp of when the event was generated on the Tailscale control server
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: event
required: true
description: Collection of fields related to the log event
type: object
fields:
- name: deferredAt
description: Timestamp of when a rate-limited event was enqueued to be logged at a later time
type: timestamp
timeFormats:
- rfc3339
- name: eventGroupID
description: Opaque identifier assigned to one or more audit events that occurred atomically
type: string
- name: origin
required: true
description: The initiator of the action that generated the event
type: string
- name: actor
required: true
description: The person who caused the action
type: object
fields:
- name: id
description: Actor's identifier
type: string
indicators:
- actor_id
- name: type
description: Type of actor
type: string
- name: loginName
description: Actor's login name
type: string
indicators:
- email
- name: displayName
type: string
- name: tags
type: array
element:
type: string
- name: target
required: true
description: The object of this event's action
type: object
fields:
- name: id
description: ID of the target
type: string
- name: name
description: Name of the target
type: string
- name: type
description: Type of target
type: string
- name: property
description: Property changed in the target
type: string
- name: action
required: true
description: Type of action performed against the target
type: string
- name: old
description: The old value prior to the event
type: json
- name: new
description: The new value after the event
type: json
- name: actionDetails
description: Additional information about the event
type: string
- name: error
description: Reason why the action failed to complete
type: string
- name: fields
description: Object containing additional recorded field data
type: object
fields:
- name: recorded
description: Timestamp of when the event was recorded by Tailscale's logging service
type: timestamp
timeFormats:
- rfc3339Tailscale.Network
schema: Tailscale.Network
description: Event logs from Tailscale Network Log Stream
referenceURL: https://tailscale.com/kb/1255/log-streaming/#network-flow-log-streaming
fields:
- name: time
required: true
description: Timestamp of when the event was generated on a Tailscale client
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: event
required: true
description: Main event object containing multiple sub-fields
type: object
fields:
- name: nodeId
description: ID associated with the node in the tailnet
type: string
- name: start
description: Starting timestamp of window for network statistics (inclusive)
type: timestamp
timeFormats:
- rfc3339
- name: end
type: timestamp
description: Ending timestamp of window for network statistics (inclusive)
timeFormats:
- rfc3339
- name: virtualTraffic
description: Connection statistics for node to node traffic within a tailnet
type: array
element:
type: object
description: Statistics about a connection, where the proto, src, and dst identifies a particular connection
fields:
- name: proto
description: Internal Protocol number
type: smallint
- name: src
type: string
description: The source IP address and port
- name: srcIp
type: string
description: The source IP address
indicators: [ip]
split:
from: event.virtualTraffic.src
separator: ':'
index: 0
- name: srcPort
type: int
description: The source port
split:
from: event.virtualTraffic.src
separator: ':'
index: 1
- name: dst
type: string
description: The destination IP address and port
- name: dstIp
type: string
description: The destination IP address
indicators: [ip]
split:
from: event.virtualTraffic.dst
separator: ':'
index: 0
- name: dstPort
type: int
description: The destination port
split:
from: event.virtualTraffic.dst
separator: ':'
index: 1
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: subnetTraffic
description: Connection statistics for node to external traffic on a subnet route
type: array
element:
type: object
description: Statistics about a connection, where the proto, src, and dst identifies a particular connection
fields:
- name: proto
description: Internal Protocol number
type: smallint
- name: src
type: string
description: The source IP address and port
- name: srcIp
type: string
description: The source IP address
indicators: [ip]
split:
from: event.subnetTraffic.src
separator: ':'
index: 0
- name: srcPort
type: int
description: The source port
split:
from: event.subnetTraffic.src
separator: ':'
index: 1
- name: dst
type: string
description: The destination IP address and port
- name: dstIp
description: The destination IP address
type: string
indicators: [ip]
split:
from: event.subnetTraffic.dst
separator: ':'
index: 0
- name: dstPort
type: int
description: The destination port
split:
from: event.subnetTraffic.dst
separator: ':'
index: 1
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: exitTraffic
description: Aggregated connection statistics for traffic through an exit node
type: array
element:
type: object
description: Statistics about a connection, where the proto, src, and dst identifies a particular connection
fields:
- name: proto
description: Internal Protocol number
type: smallint
- name: src
type: string
description: The source IP address and port
- name: srcIp
type: string
description: The source IP address
indicators: [ip]
split:
from: event.exitTraffic.src
separator: ':'
index: 0
- name: srcPort
type: int
description: The source port
split:
from: event.exitTraffic.src
separator: ':'
index: 1
- name: dst
type: string
description: The destination IP address and port
- name: dstIp
type: string
description: The destination IP address
indicators: [ip]
split:
from: event.exitTraffic.dst
separator: ':'
index: 0
- name: dstPort
type: int
description: The destination port
split:
from: event.exitTraffic.dst
separator: ':'
index: 1
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: physicalTraffic
description: Connection statistics for traffic at the physical layer
type: array
element:
type: object
description: Statistics about a connection, where the proto, src, and dst identifies a particular connection
fields:
- name: proto
description: Internal Protocol number
type: smallint
- name: src
type: string
description: The source IP address and port
- name: srcIp
type: string
description: The source IP address
indicators: [ip]
split:
from: event.physicalTraffic.src
separator: ':'
index: 0
- name: srcPort
type: int
description: The source port
split:
from: event.physicalTraffic.src
separator: ':'
index: 1
- name: dst
type: string
description: The destination IP address and port
- name: dstIp
type: string
description: The destination IP
indicators: [ip]
split:
from: event.physicalTraffic.dst
separator: ':'
index: 0
- name: dstPort
type: int
description: The destination port
split:
from: event.physicalTraffic.dst
separator: ':'
index: 1
- name: txPkts
description: Number of packets transmitted within the window
type: bigint
- name: txBytes
description: Number of bytes transmitted within the window
type: bigint
- name: rxPkts
description: Number of packets received within the window
type: bigint
- name: rxBytes
description: Number of bytes received within the window
type: bigint
- name: fields
description: Object containing additional recorded field data
type: object
fields:
- name: recorded
description: Timestamp of when the event was recorded by Tailscale's logging service
type: timestamp
timeFormats:
- rfc3339
Last updated
