Configure Falcon Log Collector

The Falcon Log Collector configuration can be managed either:

  • remotely (preferred) in a managed mode which provides a set of functionalities to centrally manage your configurations and assign a single configuration to multiple instances, see Create a Configuration - Fleet for more information on remote configuration creation.

  • locally by manually editing the .yaml file, see Create a Configuration - Local.

Create a Configuration - Fleet

These steps explain how to configure the Falcon Log Collector for remote management using the Config overview page to ship data to LogScale. See Manage Your Fleet for information on remote configuration.

When you create a Config file you can either aim to create a complete configuration or snippets which can then be combined when you Create a Group.

  1. Go toData ingest tab and click Config overview.

    Fleet Overview

    Figure 4. Fleet Overview


  2. The Config overview page is displayed, click + New Config.

    Config Overview

    Figure 5. Config Overview


  3. Type the name for your new configuration and click either:

    • Create New - creates a new configuration from scratch.

    • Create from template and browse for a previously exported or manually created configuration file (.yaml).

  4. The Config Editor is displayed which allows you to make change to your configuration file.

    Config Editor

    Figure 6. Config Editor


  5. Edit the file and specify the fields, you can only edit the sections: sources, sinks and settings, described in Sources & Examples or you can try out data ingestion using the Minimal Configuration Example Collecting File Data Source. When creating configurations keep in mind that if you are using Manage Groups to manage your instances you may want to create reusable configuration snippets which will later be combined, see Combine Configuration Snippets .

    The editor helps by underlining incorrectly positioned (incorrect level) or misspelled entities and by auto-completing entities when you are inserting new entities, additionally you can hover-over entities for useful tips and information.

  6. Optionally, click the settings cog to view the Basic Settings to manage additional settings, like description and name, or to assign instances to the configuration or manage a test draft, see Manage Configurationsfor more information.

  7. You can now:

    • Click Save as draft to save the changes without publishing.

    • Click Start test to test a draft on a set of instance which you can choose in the next step, see Editing and Publishing a Test Configuration

    • Click Publish config to save the changes and publish them to all the instances which are assigned to this configuration.

Create a Configuration - Local

The following steps describe how to edit the configuration file in the case of local management, this can only be used for instances that have not been enrolled, see Manage Falcon Log Collector Instance Enrollment for more information.

If you want to create a remote configuration file see Manage Remote Configurations.

  1. Open the file config.yaml to edit using the editor of your choice, for example on Linux:

    shell
    $ sudo vi /etc/humio-log-collector/config.yaml

    The file can be found in:

    • Linux (full)

      /etc/logscale-log-collector/config.yaml

    • Linux (Custom)

      /etc/humio-log-collector/config.yaml

    • Windows(Full)

      C:\\Program Files (x86)\\CrowdStrike\\Logscale Log Collector\\config.yaml

    • Windows(Custom)

      C:\\Program Files (x86)\\CrowdStrike\\Humio Log Collector\\config.yaml

    • MacOS

      /usr/local/etc/logscale-collector/config.yaml

  2. Edit the file and specify the fields and values described in Sources & Examples or you can try out data ingestion by specifying:

    • Under sources you must specify type and include

    • Under sinks you must specify type, token and url

    • Add fleetManagement if you want to monitor your instances on Fleet management.

  3. Once you have finished making changes save the file and restart the service.

    Linux (custom)
    shell
    $ sudo systemctl restart humio-log-collector.service
    macOS
    shell
    $ sudo launchctl kickstart -k system/com.crowdstrike.logscale-collector
    Windows

    Got to Services and find Humio Log Collector and right click Restart.

Additional environment variables can be configured, see Troubleshooting & Execution