Install Falcon Log Collector on Linux - Custom

Important

The name of the Falcon Log Collector service varies:

This procedure describes how to perform a custom installation of the Falcon Log Collector on a Linux.

  1. Download the Falcon Log Collector as described in Download Falcon Log Collector - Custom or using the command-line, see Download Installers from the Command-line.

  2. Run the following command to install Falcon Log Collector on:

    • Ubuntu

      shell
      sudo dpkg -i humio-collector_x.x.x_linux_amd64.deb
    • RedHat

      shell
      $ sudo rpm -i humio-collector.rpm
Run the Falcon Log Collector Manually on Linux

The following procedures allow you to install Falcon Log Collector on Linux manually.

Note

Create a valid configuration before running the LogScale Collector, see Configure Falcon Log Collector for more information.

Configure Start-up on Boot

The package ships with a service file that can be enabled as a SystemD service to run at start-up by running:

shell
$ sudo systemctl enable humio-log-collector.service
Additional Steps on Linux
Add Permissions to the Falcon Log Collector User

By default, the Falcon Log Collector process will run as the user humio-log-collector. This user likely does not have access to a majority of the log files in the /var/log directory. The user can be added to the adm group, which generally allows read permissions on these files.

$ sudo usermod -a -G adm humio-log-collector
Allow Access to All Files on the Filesystem

The following capabilities can be added to the Falcon Log Collector process to grant access to all files on the filesystem.

Important

This provides broad access to all system files and therefore is not recommend for anything other than testing purposes

  1. Run the following command to open an editor for creating an override file:

    $ sudo systemctl edit humio-log-collector.service
  2. In the editor, add the following lines:

    [Service]
    AmbientCapabilities=CAP_DAC_READ_SEARCH

    Save and close the editor. This will create an override file in /etc/systemd/system/humio-log-collector.service.d/ without modifying the original service file.

  3. Reload the systemd manager configuration:

    $ sudo systemctl daemon-reload
  4. Restart the service to apply the changes:

    $ sudo systemctl restart humio-log-collector.service
Binding to Lower Port Numbers (below 1024)

To allow the Falcon Log Collector to bind to port numbers below 1024 without running as root, you can use an override file to set the appropriate capability. Follow these steps:

  1. Create or edit an override file for the systemd unit:

    $ sudo systemctl edit humio-log-collector.service
  2. In the editor, add the following lines:

    [Service]
    AmbientCapabilities=CAP_NET_BIND_SERVICE
  3. Save and close the editor.

  4. Reload the systemd manager configuration:

    $ sudo systemctl daemon-reload
  5. Restart the service to apply the changes:

    $ sudo systemctl restart humio-log-collector.service

This method sets the CAP_NET_BIND_SERVICE capability for the Falcon Log Collector process, allowing it to bind to ports below 1024 without needing root privileges. The capability is applied through systemd.

Firewall Configuration

If a firewall has been configured on your system it may interfere with the sending of Syslog data. The firewall configuration will need to be updated to allow the default syslog port, 1515, through the firewall.

On RedHat or Debian Linux installations this can be achieved using the command:

shell
$ sudo firewall-cmd --add-port=1515/tcp  --permanent

Other Linux installations may need a different configuration.

Run the Falcon Log Collector Manually for Debugging

You can run the Falcon Log Collector as a standalone process and ignore the service file etc for test purposes.

  1. Run one of the following commands:

    Note

    Make sure the dataDirectory value in config.yaml exists - default: dataDirectory: /var/lib/humio-log-collector

    • Run the following command to view errors:

      shell
      sudo -u humio-log-collector humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level error --log-pretty
    • Run the following to view all debug information:

      shell
      sudo -u humio-log-collector -- humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level debug --log-pretty
  2. When all changes complete, type <CTRL>+<C> to cancel the manually-run LogCollector in debug mode.

  3. Re-start the LogCollector with the following command:

    shell
    sudo systemctl start humio-log-collector.service

    and If prompted, enter the sudo password

  4. Check the status of the LogCollector service:

    shell
    sudo systemctl status humio-log-collector.service

The executable humio-log-collector is located in /usr/bin by default.