# Panther Webhook Configuration This guide covers the Panther-specific steps for configuring the Event Forwarder webhook. Before continuing, complete the [SIEM Forwarding Quickstart](/tutorials/integrations/siem-forwarding-quickstart.md) to install and configure the Event Forwarder. ## Step 1: Create the Panther schema Panther requires an ingestion schema to parse incoming log data. 1. Download the [example Panther schema](https://raw.githubusercontent.com/spyderbat/event-forwarder/main/panther/Custom.SpyderbatR0.schema.yaml) from the event-forwarder repository. 2. In the Panther console, go to **Configure > Schemas** and click **Create New**. 3. Give the schema a name, such as `SpyderbatR0`. 4. Paste the schema contents into the text box. 5. Click **Validate**, then **Save**. ## Step 2: Create the Panther log source 1. In the Panther console, go to **Configure > Log Sources** and click **Create New**. 2. Select **Custom log formats**, then click **Start** under **HTTP logs**. 3. Enter a name for the source — for example, `Spyderbat Forwarder on ` (32-character limit). 4. Select the `Custom.SpyderbatR0` schema you created. 5. Set the auth method to **Bearer** and click the refresh button to generate a bearer secret. Copy the secret immediately — it cannot be retrieved after you leave this screen. 6. Click **Setup**. ## Step 3: Convert the bearer secret to base64 The event forwarder expects the bearer secret in base64 format. Convert it with: ```bash echo -n YOUR_SECRET | base64 ``` {% hint style="warning" %} The `-n` flag is required. Without it, `echo` appends a trailing newline to the secret, producing invalid base64 that causes silent authentication failures in Panther. {% endhint %} Keep the base64 output handy for the next step. ## Step 4: Configure the Event Forwarder webhook Edit `/opt/spyderbat-events/etc/config.yaml` and add the webhook block. Replace the placeholders with your Panther HTTP ingest URL and the base64 bearer secret from the previous step. ```yaml spyderbat_org_uid: YOUR-ORG-UID spyderbat_secret_api_key: YOUR-API-KEY webhook: endpoint_url: PANTHER-INGEST-URL compression_algo: zstd max_payload_bytes: 500000 authentication: method: bearer parameters: secret_key: YOUR-BASE64-SECRET ``` Restart the service to apply the config: ```bash sudo systemctl restart spyderbat-event-forwarder.service ``` Tail the logs to confirm events are reaching Panther without errors: ```bash sudo journalctl -fu spyderbat-event-forwarder.service ``` ## Step 5: Verify events in Panther In the Panther console, go to **Configure > Log Sources** and confirm a recent ingest timestamp appears for your Spyderbat log source. If the timestamp doesn't update within a few minutes, check the forwarder logs for authentication errors — the most common cause is an incorrectly encoded bearer secret (see Step 3). ## Related pages * [SIEM Forwarding](/concepts/integrations/siem-forwarding.md) — full architecture and setup * [SIEM Forwarding Quickstart](/tutorials/integrations/siem-forwarding-quickstart.md) — end-to-end setup guide * [Spyderbat Event Forwarder](/concepts/integrations/spyderbat-event-forwarder.md) — architecture overview --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.spyderbat.com/tutorials/integrations/forwarder-panther-config.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.