gravitational
diff --git a/‎docs/config.json
+4 b/‎docs/config.json
+4
diff --git a/‎docs/cspell.json
+1 b/‎docs/cspell.json
+1
diff --git a/‎docs/img/management/fluentd-diagram.png
158 KB b/‎docs/img/management/fluentd-diagram.png
158 KB
diff --git a/‎docs/img/management/panther-ingest.png
486 KB b/‎docs/img/management/panther-ingest.png
486 KB
diff --git a/‎docs/pages/management/export-audit-events/panther.mdx
+247 b/‎docs/pages/management/export-audit-events/panther.mdx
+247
@@ -814,6 +814,10 @@
               "title": "Export Audit Events to the Elastic Stack",
               "slug": "/management/export-audit-events/elastic-stack/"
             },
+            {
+              "title": "Export Audit Events to Panther",
+              "slug": "/management/export-audit-events/panther/"
+            },
             {
               "title": "Export Audit Events to Splunk",
               "slug": "/management/export-audit-events/splunk/"
 
@@ -846,6 +846,7 @@
     "thisisunsafe",
     "thred",
     "timechart",
+    "timekey",
     "tlscacerts",
     "tlscert",
     "tlsexistingcasecretname",
 
@@ -0,0 +1,247 @@
+---
+title: Export Teleport Audit Events to Panther 
+description: How to configure the Teleport Event Handler plugin and Fluentd to send audit logs to Panther
+---
+
+Panther is a cloud-native security analytics platform. In this guide, we'll explain
+how to forward Teleport audit events to Panther using Fluentd.
+
+## How it works
+
+The Teleport Event Handler is designed to communicate with Fluentd using mTLS
+to establish a secure channel. In this setup, the Event Handler sends events to Fluentd, which forwards them to S3 to be ingested by Panther.
+
+![Architecture of the setup shown in this guide](../../../img/management/fluentd-diagram.png)
+
+## Prerequisites
+
+(!docs/pages/includes/edition-prereqs-tabs.mdx!)
+
+(!docs/pages/includes/machine-id/plugin-prerequisites.mdx!)
+
+- A [Panther](https://panther.com/product/request-a-demo/) account.
+- A server, virtual machine, Kubernetes cluster, or Docker environment to run the
+  Event Handler. The instructions below assume a local Docker container for testing.
+- Fluentd version v(=fluentd.version=) or greater. The Teleport Event Handler
+  will create a new `fluent.conf` file you can integrate into an existing Fluentd
+  system, or use with a fresh setup.
+- An S3 bucket to store the logs. Panther will ingest the logs from this bucket.
+
+The instructions below demonstrate a local test of the Event Handler plugin on
+VM. You will need to adjust paths, ports, and domains for other environments.
+
+- (!docs/pages/includes/tctl.mdx!)
+
+## Step 1/7. Install the Event Handler plugin
+
+The Teleport event handler runs alongside the Fluentd forwarder, receives events
+from Teleport's events API, and forwards them to Fluentd.
+
+(!docs/pages/includes/install-event-handler.mdx!)
+
+## Step 2/7. Generate a plugin configuration
+
+(!docs/pages/includes/configure-event-handler.mdx!)
+
+## Step 3/7. Create a user and role for reading audit events
+
+(!docs/pages/includes/plugins/event-handler-role-user.mdx!)
+
+## Step 4/7. Create teleport-event-handler credentials
+
+In order for the Event Handler plugin to forward events from your Teleport cluster, 
+it needs signed credentials from the cluster's certificate authority. The teleport-event-handler 
+user cannot request this itself, and should use Teleport Machine ID to obtain the credentials.
+
+Teleport Machine ID bot should leverage the `teleport-event-handler` role to request the credentials.
+Machine ID already impersonates roles when requesting credentials from the Teleport cluster.  
+
+### Export an identity file for the Event Handler plugin user
+
+Give the plugin access to a Teleport identity file. We recommend using Machine
+ID for this in order to produce short-lived identity files that are less
+dangerous if exfiltrated, though in demo deployments, you can generate
+longer-lived identity files with `tctl`:
+
+<Tabs>
+<TabItem label="Machine ID">
+(!docs/pages/includes/plugins/tbot-identity.mdx secret="teleport-event-handler-identity"!)
+</TabItem>
+<TabItem label="Long-lived identity files">
+(!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler" secret="teleport-event-handler-identity"!)
+</TabItem>
+</Tabs>
+
+## Step 5/7. Create a Dockerfile with Fluentd and the S3 plugin
+
+To send logs to Panther, you need to use the Fluentd output plugin for S3. Create
+a `Dockerfile` with the following content:
+
+```text
+FROM fluent/fluentd:edge
+USER root
+RUN fluent-gem install fluent-plugin-s3
+USER fluent
+```
+
+Build the Docker image:
+
+```shell
+$ docker build -t fluentd-s3 .
+```
+
+<Admonition type="tip" title="Testing Locally?">
+
+If you're running Fluentd in a local Docker container for testing, you can adjust
+the entrypoint to an interactive shell as the root user, so you can test the setup.
+
+```code
+$ docker run -u $(id -u root):$(id -g root) -p 8888:8888 -v $(pwd):/keys -v \
+$(pwd)/fluent.conf:/fluentd/etc/fluent.conf --entrypoint=/bin/sh -i --tty  fluentd-s3
+```
+
+</Admonition>
+
+### Configure Fluentd for Panther
+
+When you run the Teleport Event Handler, it will create a `fluent.conf` file.  This file needs to be updated
+to send logs to Panther. This means adding a `<filter>` and `<match>` section to the file. These sections
+will filter and format the logs before sending them to S3, The record_transformer is important to send the 
+right date and time format for Panther. 
+
+```xml
+<!--
+# Below code is commented out as it's autogenerated in step 4 by teleport-event-handler
+fluent.conf 
+This is a sample configuration file for Fluentd to send logs to S3. 
+Created by the Teleport Event Handler plugin. 
+Add the <filter> and <match> sections to the file.
+ <source>
+     @type http
+     port 8888
+
+     <transport tls>
+         client_cert_auth true
+         ca_path "/keys/ca.crt"
+         cert_path "/keys/server.crt"
+         private_key_path "/keys/server.key"
+         private_key_passphrase "AUTOGENERATED"
+     </transport>
+
+     <parse>
+       @type json
+       json_parser oj
+
+       # This time format is used by Teleport Event Handler.
+       time_type string
+       time_format %Y-%m-%dT%H:%M:%S
+     </parse>
+
+     # If the number of events is high, fluentd will start failing the ingestion
+     # with the following error message: buffer space has too many data errors.
+     # The following configuration prevents data loss in case of a restart and
+     # overcomes the limitations of the default fluentd buffer configuration.
+     # This configuration is optional.
+     # See https://docs.fluentd.org/configuration/buffer-section for more details.
+     <buffer>
+       @type file
+       flush_thread_count 8
+       flush_interval 1s
+       chunk_limit_size 10M
+       queue_limit_length 16
+       retry_max_interval 30
+       retry_forever true
+  </buffer>
+</source>
+-->
+<filter test.log>
+  @type record_transformer
+  enable_ruby true
+  <record>
+    time ${time.utc.strftime("%Y-%m-%dT%H:%M:%SZ")}
+  </record>
+</filter>
+<match test.log>
+  @type s3
+  aws_key_id  REPLACE_aws_access_key
+  aws_sec_key  REPLACE_aws_secret_access_key
+  s3_bucket  REPLACE_s3_bucket
+  s3_region us-west-2
+  path teleport/logs
+  <buffer>
+    @type file
+    path /var/log/fluent/buffer/s3-events
+    timekey 60
+    timekey_wait 0
+    timekey_use_utc true
+    chunk_limit_size 256m
+  </buffer>
+  time_slice_format %Y%m%d%H%M%S
+  <format>
+    @type json
+    </format>
+</match>
+<match session.*>
+  @type stdout
+</match>
+```
+
+Start the Fluentd container:
+
+```shell
+$ docker run -p 8888:8888 -v $(pwd):/keys -v $(pwd)/fluent.conf:/fluentd/etc/fluent.conf fluentd-s3
+```
+This will start the Fluentd container and expose port 8888 for the Teleport Event Handler to send logs to. 
+
+## Step 6/7. Run the Teleport Event Handler plugin
+
+### Configure the Event Handler
+
+In this section, you will configure the Teleport Event Handler for your
+environment.
+
+(!docs/pages/includes/plugins/finish-event-handler-config.mdx!)
+
+Next, modify the configuration file as follows:
+
+(!docs/pages/includes/plugins/config-toml-teleport.mdx!)
+
+(!docs/pages/includes/plugins/machine-id-exporter-config.mdx!)
+
+### Start the Teleport Event Handler
+
+(!docs/pages/includes/start-event-handler.mdx!)
+
+The Logs view in Panther should now report your Teleport cluster events. 
+
+## Step 7/7. Configure Panther to ingest logs from S3
+
+Once logs are being sent to S3, you can configure Panther to ingest them. Follow
+the [Panther documentation](https://docs.panther.com/data-onboarding/supported-logs/teleport) to set
+up the S3 bucket as a data source.
+
+![Panther Dashboard Example](../../../img/management/panther-ingest.png)
+
+## Troubleshooting connection issues
+
+If the Teleport Event Handler is displaying error logs while connecting to your
+Teleport Cluster, ensure that:
+
+- The certificate the Teleport Event Handler is using to connect to your
+  Teleport cluster is not past its expiration date. This is the value of the
+  `--ttl` flag in the `tctl auth sign` command, which is 12 hours by default.
+- Ensure that in your Teleport Event Handler configuration file
+  (`teleport-event-handler.toml`), you have provided the correct host *and* port
+  for the Teleport Proxy Service.
+- Start the FluentD container prior to starting the Teleport Event Handler. The 
+  Event Handler will attempt to connect to FluentD immediately upon startup.
+
+## Next steps
+
+- Read more about
+[impersonation](../../access-controls/guides/impersonation.mdx)
+here.
+- Learn more about the [Panther Detections, Alerts and Notifications](https://panther.com/integrations/logs/teleport/).
+- To see all of the options you can set in the values file for the
+`teleport-plugin-event-handler` Helm chart, consult our [reference
+guide](../../reference/helm-reference/teleport-plugin-event-handler.mdx).