Configuration Elements

The Configuration Elements section explains how to configure the Falcon LogScale Collector through YAML files, covering essential components like flags, fleet management, data directory settings, sources, and sinks. The documentation details both local and centralized configuration approaches while providing specific information about each configuration element's purpose and implementation, including optional API debugging capabilities.

The Falcon LogScale Collector is configured via .yaml file either manually on a local file or in centralized way via the Config Editor.

The file is nested and the indention of the file is essential to the correct function of the Falcon LogScale Collector. The first level of the file is as follows, however the elements fleetManagement and datadirectory cannot be used in remote configurations.

Element Description Contents
flags Optional configuration flags which allow certain additional behaviors like communication over HTTP. See Optional Flags(flags).
fleetManagement Local Configurations Only The set of details required of the instance to work with fleet management, see Fleet and Group Management for more on fleet management. This section must not be specified when using remote configuration and can only be used to enroll instance in fleet management without remote configuration management. See Fleet Management (fleetManagement).
dataDirectory Local Configurations Only Defines the where the Falcon LogScale Collector will create its "database", for example database.db file. This path is automatically set when you install the Falcon LogScale Collector. The name of the file or path to the folder. See dataDirectory.
sources This element allows you to define one or more data sources and a configuration for each data source including a sink for each source. There can only be one sources block per config file. See Configuration File Examples for more information and examples for different source types.
sinks Defines where the data will be sent and specifications on the Queue (queue), memory, compression, proxy configuration See Sinks (sinks). Depending on the source, a single or multiple sinks may be configured.

Additional Fields

  • API which allows you to enable and disable the debug API. (enabled by default) 

api: enabled: false