Fleet Management (fleetManagement)

Available: Fleet Modes v1.7.0

The Falcon Log Collector Fleet Management Modes have been extended as of 1.7.0

The fleet management block configures the Falcon Log Collector as a managed instance in LogScale. The Falcon Log Collector shows up on the Falcon Log Collector in LogScale, and depending on the mode of fleet management, the Falcon Log Collector configuration of sources and sinks can also be managed centrally in LogScale.

The primary way to setup the fleet management configuration is through the Manage Falcon Log Collector Instance Enrollment of the Falcon Log Collector.

You can retrieve this token on the Fleet Management Overview.

Fleet Modes

There are three modes of the fleet management block. The mode is selected by the mode field underneath the fleetManagement object.

Full (full)

In full mode, the Falcon Log Collector participates fully in fleet management, and receives the configuration of sources and sinks centrally. In this mode, it's not possible to use the sources, sinks or settings fields in the local configuration file.

This mode is the default when using the enroll command without additional options. The enroll command writes the following snippet in the local configuration:

fleetManagement:
  mode: full
  url: https://<logscale-cluster>
Local Config (localConfig)

In localConfig, the Falcon Log Collector is enrolled in fleet management, but only reports to LogScale. Sources and sinks are configured in the local configuration file as when running without fleet management enabled. This mode can be selected by the enroll command by the --mode localConfig argument. The enroll command preserves the existing configuration, but replaces the fleetManagement block with:

fleetManagement:
  mode: localConfig
  url: https://<logscale-cluster>
Legacy (legacy)

In legacy mode, the Falcon Log Collector is configured using a fleet overview snippet. The Falcon Log Collector sends periodic updates that shows up in the fleet overview. This mode does not support the CPU, memory and disk usage metrics of fleet management.

This mode is not recommended for new installations. The use case of this mode has been superseded by the new auto enrollment feature with either full or localConfig mode.

Auto Enrollment (autoEnrollment)

Starting with version 1.7.0 of the Falcon Log Collector, it's now possible to enter an enrollment token in the configuration file. The Falcon Log Collector automatically uses this enrollment token to enroll in fleet management, if it isn't enrolled upon start-up. Using this feature along with mode localConfig is a direct replacement of the legacy fleet overview mode.

This feature is useful when deploying the Falcon Log Collector automatically through a host management platform. Auto enrollment also allows specifying a timeout (ephemeral timeout), where if the LogScale Collector is offline for longer, it will be removed from fleet management.

Example of using auto enrollment:

fleetManagement:
  mode: full # or localConfig
  url: https://<logscale-cluster>
  autoEnrollment:
    enrollmentToken: eyJpWxsVG9rZW4iOiJ... # copy the enrollment token from the enroll command
    # ephemeralTimeoutHours: 3 # uncomment to automatically remove the Falcon Log Collector after being offline for i.e. 3 hours
Additional fleet management options

The fleet management block supports additional options to control proxy and TLS settings. These options apply to all modes.

Proxy

Controls which HTTP proxy is used to communicate with LogScale in the fleet management protocol.

Supported values are:

  • none: Do not use a proxy.

  • system: Always use the system proxy.

  • auto: Attempt to determine the system proxy, fallback to none if proxy discovery failed.

  • A proxy URL: enter a URL such as http://user:pass@proxyaddress to use that proxy.

TLS

Controls the TLS options that are used to establish a secure connection to LogScale in the fleet management protocol.

Parameter Type Default Description
insecure bool false Specify if certificate validation is needed, if set to true the certificate validation is skipped.
caCert string "" Specify this key to load a certificate from the config file.
Cafile string "" Specify this key to load the PEM certificate from an external.