Log streaming lets you stream configuration or network flow logs into a security information and event management (SIEM) system. You can stream logs into a SIEM to help detect and respond to security threats, set up alerting and monitoring rules, etc.

Currently supported SIEM systems are Splunk, through an HTTP Event Collector, Elasticsearch Logstash, through a data stream, and Panther.

Prerequisites

You need a SIEM endpoint and credentials from your SIEM vendor. Consult your SIEM vendor’s documentation for how to get an endpoint and API credentials.

Configuration audit log streaming

Log streaming lets you stream configuration audit logs into a security information and event management (SIEM) system. You can stream logs into a SIEM to help detect and respond to security threats, set up alerting and monitoring rules, etc.

Adding a configuration log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to add and configure a streaming destination.

1. Open the Configuration logs page of the admin console.
2. Click Start streaming.
3. In the Start streaming configuration logs dialog:
   1. Select a SIEM destination.
   2. For URL, enter your SIEM endpoint. The endpoint URL must use the HTTPS protocol, and there is no restriction on which port is used. Splunk’s HTTP Endpoint Connectors require an endpoint ending with /services/collector/event. Elasticsearch’s data streams require an endpoint ending with <stream_id>/_bulk?pretty.
   3. If your SIEM system requires a value for Username, enter the SIEM username.
   4. For Token, enter the SIEM API token.
4. Click Start streaming.

Check your SIEM system to verify you are successfully streaming from your tailnet.

Changing a configuration log streaming destination

You can change the SIEM endpoint and the SIEM API token for a streaming system. You can also change the SIEM username, if a username is used for your SIEM system.

You need to be an Owner, Admin, Network admin, or IT admin to change the configuration of a streaming destination.

1. Open the Configuration logs page of the admin console.
2. For the SIEM system that you want to update, click the Action dropdown, then click Edit.
3. Update the value for Destination, URL, Token, and/or Username.
4. Click Update endpoint.

Deleting a configuration log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to delete a streaming destination.

1. Open the Configuration logs page of the admin console.
2. For the SIEM system that you want to delete, click the Action dropdown, then click Delete.
3. In the confirmation dialog, click Delete.

Network flow log streaming

Adding a network log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to add a streaming destination.

1. If you haven’t already, enable Network flow logs for your tailnet.
2. Open the Network flow logs page of the admin console.
3. Click Start streaming.
4. In the Start streaming network logs dialog:
   1. Select a SIEM destination.
   2. For URL, enter your SIEM endpoint. The endpoint URL must use the HTTPS protocol, and there is no restriction on which port is used. Splunk’s HTTP Endpoint Connectors require an endpoint ending with /services/collector/event Elasticsearch’s data stream endpoints end with <stream_id>/_bulk?pretty.
   3. If your SIEM system requires a value for Username, enter the SIEM username.
   4. For Token, enter the SIEM API token.
5. Click Start streaming.

Check your SIEM system to verify you are successfully streaming from your tailnet.

Changing a network log streaming destination

You can change the SIEM endpoint and the SIEM API token for a streaming system. You can also change the SIEM username, if a username is used for your SIEM system.

You need to be an Owner, Admin, Network admin, or IT admin to change the configuration of a streaming destination.

1. Open the Network flow logs page of the admin console.
2. For the SIEM system that you want to update, click the Action dropdown, then click Edit.
3. Update the value for Destination, URL, Token, and/or Username.
4. Click Update endpoint.

Deleting a network log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to delete a streaming destination.

1. Open the Network flow logs page of the admin console.
2. For the SIEM system that you want to delete, click the Action dropdown, then click Delete.
3. In the confirmation dialog, click Delete.

Private endpoints

Log streaming can publish logs to a host that is directly reachable over the public internet, in which case the endpoint must use HTTPS for security. Alternatively, log streaming can publish logs to a private host that is not directly reachable over the public internet by utilizing Tailscale for connectivity. Plain HTTP may be used since the underlying transport is secured by Tailscale using WireGuard.

Use of log streaming to a private host is detected automatically based on the host specified in the endpoint URL.

The host must reference a node within your tailnet and can be any of the following:

• The name of a Tailscale node (e.g., “splunk”).
• The fully-qualified domain name of a Tailscale node (e.g., “splunk.yak-bebop.ts.net”).
• The IPv4 address of a Tailscale node (e.g., “100.12.34.56”).
• The IPv6 address of a Tailscale node (e.g., “fd7a:115c:a1e0:ab12:0123:4567:89ab:cdef”).

Log streaming to a private endpoint operates by sharing your node into a Tailscale-managed tailnet, where a Tailscale-managed node will publish logs directly to your node. This requires both sharing your node out to Tailscale’s logstream tailnet, and modifying your tailnet policy file to support incoming traffic to your node from the logstream@tailscale user.

When adding or updating an endpoint that points to a private host, the control plane may need to share your node and/or update the tailnet policy file on your behalf. If additional configuration changes are needed, a follow-up dialog box will ask you for permission to perform the necessary actions. Audit log events will be generated for these operations and the actions will be attributed to you.

After adding or updating the endpoint, the node will be listed on the Machines page of the admin console as having been shared out to the logstream@tailscale user. Also, the tailnet policy file will be modified with a rule similar to the following:

{
  // Private log streaming enables audit and network logs to be directly
  // uploaded to a node in your tailnet without exposing it to the public internet.
  // This access rule provides access for a Tailscale-managed node to upload logs
  // directly to the specified node.
  // See https://tailscale.com/kb/1255/log-streaming/#private-endpoints
  "action": "accept",
  "src":    ["logstream@tailscale"],
  "dst":    ["nodeAddressV4:port", "[nodeAddressV6]:port"],
}

where:

• nodeAddressV4 is the IPv4 address of the Tailscale node,
• nodeAddressV6 is the IPv6 address of the Tailscale node, and
• port is the service port for the SIEM system.

Both the IPv4 and IPv6 address are specified as the log stream publisher may communicate with your node over either v4 or v6 of the Internet protocol.

Since log streaming to a private host may require the ability to share nodes and the ability to update the tailnet policy file, only the Admin and Network admin roles have sufficient permissions to unilaterally make use of private endpoints. The IT admin has the ability to share nodes, but lacks the ability to update the tailnet policy file. An IT admin can still make use of private endpoints, but requires either an Admin or Network admin to manually update the tailnet policy file before logs can start streaming.