Syslog Log Monitoring

Integration Overview

Syslog is a built-in Unix command-line utility that offers a standard way for quickly exchanging log information. Panther can collect, normalize, and monitor Syslog logs to help you identify suspicious activity in real time. Your normalized log data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.

Use Cases for Syslog Logs

Panther supports the ingestion of both RFC3164 (BSD-syslog messages) and RFC5424 log formats. Some common security use cases for these log types include:

  • Monitoring remote system access
  • Alerting on sensitive sudo commands

Onboarding Syslog Logs in Panther

Panther supports ingesting Syslog logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch. Setting Syslog up in Panther is fast and easy - simply create a new Syslog log source within the Panther console, choose your preferred data transport method, and configure Syslog to push logs to your chosen data transport source.

For more details on onboarding Syslog logs or for supported log schema, you can view our Syslog documentation here.

Parsing, Normalizing, & Analyzing

As Panther ingests Syslog logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to write detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.

Panther applies normalization fields to log records, which standardizes names for attributes and enables you to correlate data across all of your log sources. Panther’s handy search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.

Detection as Code

With Panther, you aren’t confined to rigid detections or proprietary code bases as seen in many SIEM solutions. Panther is built around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.

Configuring Alerts

Panther generates alerts when your detection rules or policies for Syslog are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are grouped into five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about onboarding or monitoring Syslog logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring Syslog logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Syslog logs.

The Ideal SIEM for Syslog

With Panther, your team doesn’t have to pay excessive costs to keep up with the growth of cloud app data, waste time and resources on operational overhead, or struggle with restrictive detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to meet today’s security needs.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. For a powerful, practical, and scalable SIEM solution for Syslog, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo