Link Search Menu Expand Document

Introduction

The (beta) cloud-based version of Panther is accessible at app.panther.support. After a simple Sign-up process your dedicated secure Panther instance will be automatically provisioned within the Panther Cloud. When signing-up you will be asked to choose a unique name for your Console which will then be accessible at https://{example}.app.panther.support.

Panther Architecture diagram

Using Panther for the First Time

Logging in (app.panther.support)

Login for the first time as the admin user using the password you gave during Sign-up - this is the default user account that will be used to administer Panther for the first time. Additional users can then be created from the admin tab.

Logging in (docker-compose.yml)

Note Instructions for launching the Docker images are on github.com/openanswers/panther-core

After starting the Panther containers for the first time an initial password will have been set. Unless configured that defaults will be:

Username admin
Password admin

This can be changed through the environment settings in docker-compose.yml e.g.

  event-console:
    ...
    environment:
      - ADMIN_USERNAME=admin
      - ADMIN_PASSWORD=admin
      - ADMIN_EMAIL=you@example.com

Welcome to the dashboard

The first screen that you will see is the Dashboard, which will look like this:

Clicking on Open Console will take you to the Console, which will look like this:

… this example shows that the Panther instance currently has two events in it. These particular messages are coming from the instance’s internal syslogd and http agents which will send periodic “keep-alive” events to indicate that they are healthy. Here, Agent http is alive and Agent syslogd are the details of the event, contained within the summary field (see next section). Double-click on an event to explore it a bit more.

Anatomy of an Event

A Panther Event is comprised of a number of data fields that are analagous to The Syslog Protocol.

Field Meaning Example value
_id Internal Panther ID for the event 5d8a4143f9f0b20100f778f9
acknowledged Indicates whether the event has been acknowledged false
agent The agent that received the event syslogd
external_id A reference to an external identifier (e.g. incident reference) OA:12345
first_occurrence Date/time when the first event was received 2019-09-24T16:16:03.825Z
last_occurrence Date/time when the last event was received 2019-10-04T12:22:49.063Z
group Grouping applied to this event (determined by Group Rules) Windows Servers
identifier Unique identifier for this event (used for de-duplication) 10740737389554512696
node Hostname of the device/server that originated the event MYWINSERVER123
owner The Panther user that has taken ownership of this event dave
severity Event Severity (0-5) 5 (Warning)
state_change Date/time when the last change to the event occurred 2019-10-04T12:22:49.066Z
summary Event details ERROR_OUTOFMEMORY: Not enough storage is available to complete this operation
tag Name of program or process that generated the event Microsoft-Windows-Kernel-General
tally Count of event occurrences 1416

By default, a unique Event is defined by the combination of the fields: {node}:{severity}:{tag}:{summary}.

Multiple events that have the same values for these fields will be treated as the same event, with a counter (tally) incremented for each occurrence. Simple Rules can be used to adjust the contents of these fields (for example, to remove unique data from the summary field) which allows Events to be de-duplicated and enriched, making them easy to manage.

Double-click on an event and select Fields to see its full contents:

See also:

Set Up Event Sources

There are currently two main methods to import event logs into Panther from client event sources. The most straightforward of these is by means of compatible logging software, while an HTTP based API is also available for integration with bespoke client applications.

Logging Software

Panther offers the capability to receive event logs directly from supported third-party logging software. In order to facilitate this, archives of configuration files are available for download from the Panther admin page.

More detailed information on the download procedure is available, along with configuration guides for each supported system, in the client configuration section.

REST API

For use cases where programmatic control is needed over the submission of event log entries, Panther provides an HTTP based REST API, incorporating a key for security.

More details on this are available in the API section.

Graylog (future)

SNMP Trap (future)

Event Source Examples

The freely available software packages listed below can act as event sources for Panther.

Software Official Website Panther Configuration
NXLog Documentation Linux, Windows
Rsyslog Documentation Linux
Syslog-ng TODO TODO
Log4j TODO TODO
Log4Net TODO TODO
AWS TODO Linux

Examples of approaches that can be used to monitor infrastructure and applications.

Technology How
Linux TODO
Windows TODO
Cisco TODO
MuleSoft Anypoint Platform TODO
Dell Boomi TODO

Configure a Global Rule

Global rules are rules that will be applied to every event log that is received by Panther. By default, you will have some syslog rules and a simple example. There is a tutorial for adding further global rules in the Rules section.

Configure a Group rule

There is a tutorial on setting up group rules in the Rules section, along with a working example in the API section.