Overview
The most straightforward way to send events to Panther is to install and configure compatible logging software on the client system.
While users should generally install the software according to the documentation published by the relevant providers, specific configuration is also required to enable communication with Panther.
This and subsequent pages provide a guide to the configuration required once any necessary logging software has been installed.
NOTE: The instructions here are based on clean installations of the logging software – if site-specific configurations have already been made, then it is necessary to download the Panther resources and integrate them following the providers’ documentation.
All users should read the general advice in the introduction, but then refer to the relevant sections for their own specific software.
- Introduction (all systems)
- Rsyslog (Linux)
- NXLog (Linux | Windows)
- Panther API (HTTP)
- AWS
Introduction
Events can be received by Panther via two protocols:
| Protocol | Destination | Port |
| Secure Syslog | example.app.panther.support | 6514 |
| HTTP (Post) | https://app.panther.support | 443 |
These are both TCP ports and may require additional firewalling rules to permit connectivity depending on your networking setup.
app.panther.support (secure syslog)
Event data is sent securely to the Panther server from local clients via an encrypted connection using Transport Layer Security (TLS). This requires the use of certificates and unique client keys which are generated specifically for your Panther instance during the sign-up process.
NOTE: TLS certificates are used for app.panther.support, self hosted Docker containers use standard Syslog
Since these certificates and keys are needed to configure client event loggers, they are bundled into “configuration archives” along with sample configuration files specific to the software, and made available for download from your Panther instance e.g. (example.app.panther.support).
NOTE: You should ensure that the
key.pemincluded in your configuration archive is kept secure to prevent its use by anyone else.
The configuration process therefore is to download an appropriate archive, to load it in a suitable location for the software, and to carry out any remaining package or system specific tasks.
There are specific instructions for configuring the following Event senders:
Other Syslog agents
Any Sylog agent can be used so long as it supports TLS Client certificate authentication, the necessary certificate files can be acquired from the Rsyslog configuration archive.
The following files included in the rsyslog-config-<system>.tar can be used as the basis for other Syslog agents:
| cert.pem | TLS Client certificate (self signed) |
| key.pem | TLS Client Key |
| panther-cert-chain.pem | The (self signed) Certificate chain of trust |
Syslog events are sent to app.panther.support:6514 (6514 is the secure syslog port).
app.panther.support (HTTPS API)
Event data is sent securely to the Panther server from local clients via an encrypted HTTPS connection. This does not require any additional certficates to be installed and will use your systems standard TLS authority chain of trust.
For futher information please consult the general API Console documentation, or the AWS-Events2Panther.
Self Hosted Panther
TODO