Fleet Management (fleetManagement)
Available:Fleet Modes v1.7.0
The Falcon LogScale Collector Fleet Management Modes have been extended as of 1.7.0
The fleet management block configures the Falcon LogScale Collector as a managed instance in LogScale. The Falcon LogScale Collector shows up on the Falcon LogScale Collector in LogScale, and depending on the mode of fleet management, the Falcon LogScale Collector configuration of sources and sinks can also be managed centrally in LogScale.
The primary way to setup the fleet management configuration is through the Manage Falcon LogScale Collector Instance Enrollment of the Falcon LogScale Collector.
You can retrieve this token on the Fleet Management Overview.
Fleet Modes
There are three modes of the fleet management block. The mode is
selected by the mode field
underneath the
fleetManagement object.
full)
In full mode, the Falcon LogScale Collector
participates fully in fleet management, and receives the configuration
of sources and sinks centrally. In this mode, it's not possible to use
the sources,
sinks or
settings fields in the local
configuration file.
This mode is the default when using the enroll command without additional options. The enroll command writes the following snippet in the local configuration:
fleetManagement:
mode: full
url: https://<logscale-cluster>localConfig)
In localConfig, the
Falcon LogScale Collector is enrolled in fleet management, but only reports to
LogScale. Sources and sinks are configured in the local configuration
file as when running without fleet management enabled. This mode can
be selected by the enroll command by the --mode
localConfig argument. The enroll command preserves the
existing configuration, but replaces the
fleetManagement block with:
fleetManagement:
mode: localConfig
url: https://<logscale-cluster>legacy)
In legacy mode, the Falcon LogScale Collector is configured using a fleet overview snippet. The Falcon LogScale Collector sends periodic updates that shows up in the fleet overview. This mode does not support the CPU, memory and disk usage metrics of fleet management.
This mode is not recommended for new installations. The use case of
this mode has been superseded by the new auto enrollment feature with
either full or
localConfig mode.
autoEnrollment)
Starting with version 1.7.0 of the Falcon LogScale Collector, it's now possible to
enter an enrollment token in the configuration file. The Falcon LogScale Collector
automatically uses this enrollment token to enroll in fleet
management, if it isn't enrolled upon start-up. Using this feature
along with mode localConfig is a
direct replacement of the legacy fleet overview mode.
This feature is useful when deploying the Falcon LogScale Collector automatically through a host management platform. Auto enrollment also allows specifying a timeout (ephemeral timeout), where if the Log Collector is offline for longer, it will be removed from fleet management.
Example of using auto enrollment:
fleetManagement:
mode: full # or localConfig
url: https://<logscale-cluster>
autoEnrollment:
enrollmentToken: eyJpWxsVG9rZW4iOiJ... # copy the enrollment token from the enroll command
# ephemeralTimeoutHours: 3 # uncomment to automatically remove the Falcon LogScale Collector after being offline for i.e. 3 hoursfleetManagement:
mode: full # or localConfig
url: https://<logscale-cluster>
proxy: none
tls: insecureThe fleet management block supports additional options to control proxy and TLS settings. These options apply to all modes.
ProxyControls which HTTP proxy is used to communicate with LogScale in the fleet management protocol.
Supported values are:
none: Do not use a proxy.system: Always use the system proxy.auto: Attempt to determine the system proxy, fallback to none if proxy discovery failed.A proxy URL: enter a URL such as
http://user:pass@proxyaddressto use that proxy.
Controls the TLS options that are used to establish a secure connection to LogScale in the fleet management protocol.
| Parameter | Type | Default | Description |
|---|---|---|---|
| insecure | bool | false | Specify if certificate validation is needed, if set to true the certificate validation is skipped. |
| caCert | string | "" | Specify this key to load a certificate from the config file. |
| Cafile | string | "" | Specify this key to load the PEM certificate from an external. |