# Panther Webhook Configuration

This guide covers the Panther-specific steps for configuring the Event Forwarder webhook. Before continuing, complete the [SIEM Forwarding Quickstart](https://docs.spyderbat.com/tutorials/integrations/siem-forwarding-quickstart) to install and configure the Event Forwarder.

## Step 1: Create the Panther schema

Panther requires an ingestion schema to parse incoming log data.

1. Download the [example Panther schema](https://raw.githubusercontent.com/spyderbat/event-forwarder/main/panther/Custom.SpyderbatR0.schema.yaml) from the event-forwarder repository.
2. In the Panther console, go to **Configure > Schemas** and click **Create New**.
3. Give the schema a name, such as `SpyderbatR0`.
4. Paste the schema contents into the text box.
5. Click **Validate**, then **Save**.

## Step 2: Create the Panther log source

1. In the Panther console, go to **Configure > Log Sources** and click **Create New**.
2. Select **Custom log formats**, then click **Start** under **HTTP logs**.
3. Enter a name for the source — for example, `Spyderbat Forwarder on <hostname>` (32-character limit).
4. Select the `Custom.SpyderbatR0` schema you created.
5. Set the auth method to **Bearer** and click the refresh button to generate a bearer secret. Copy the secret immediately — it cannot be retrieved after you leave this screen.
6. Click **Setup**.

## Step 3: Convert the bearer secret to base64

The event forwarder expects the bearer secret in base64 format. Convert it with:

```bash
echo -n YOUR_SECRET | base64
```

{% hint style="warning" %}
The `-n` flag is required. Without it, `echo` appends a trailing newline to the secret, producing invalid base64 that causes silent authentication failures in Panther.
{% endhint %}

Keep the base64 output handy for the next step.

## Step 4: Configure the Event Forwarder webhook

Edit `/opt/spyderbat-events/etc/config.yaml` and add the webhook block. Replace the placeholders with your Panther HTTP ingest URL and the base64 bearer secret from the previous step.

```yaml
spyderbat_org_uid: YOUR-ORG-UID
spyderbat_secret_api_key: YOUR-API-KEY

webhook:
  endpoint_url: PANTHER-INGEST-URL
  compression_algo: zstd
  max_payload_bytes: 500000
  authentication:
    method: bearer
    parameters:
      secret_key: YOUR-BASE64-SECRET
```

Restart the service to apply the config:

```bash
sudo systemctl restart spyderbat-event-forwarder.service
```

Tail the logs to confirm events are reaching Panther without errors:

```bash
sudo journalctl -fu spyderbat-event-forwarder.service
```

## Step 5: Verify events in Panther

In the Panther console, go to **Configure > Log Sources** and confirm a recent ingest timestamp appears for your Spyderbat log source. If the timestamp doesn't update within a few minutes, check the forwarder logs for authentication errors — the most common cause is an incorrectly encoded bearer secret (see Step 3).

## Related pages

* [SIEM Forwarding](https://docs.spyderbat.com/concepts/integrations/siem-forwarding) — full architecture and setup
* [SIEM Forwarding Quickstart](https://docs.spyderbat.com/tutorials/integrations/siem-forwarding-quickstart) — end-to-end setup guide
* [Spyderbat Event Forwarder](https://docs.spyderbat.com/concepts/integrations/spyderbat-event-forwarder) — architecture overview