Fleet Management (fleetManagement
)
Available: Fleet Modes v1.7.0
The Falcon Log Collector Fleet Management Modes have been extended as of 1.7.0
The fleet management block configures the Falcon Log Collector as a managed instance in LogScale. The Falcon Log Collector shows up on the Falcon Log Collector in LogScale, and depending on the mode of fleet management, the Falcon Log Collector configuration of sources and sinks can also be managed centrally in LogScale.
The primary way to setup the fleet management configuration is through the Manage Falcon Log Collector Instance Enrollment of the Falcon Log Collector.
You can retrieve this token on the Fleet Management Overview.
Fleet Modes
There are three modes of the fleet management block. The mode is
selected by the mode
field underneath the
fleetManagement
object.
full
)
In full
mode, the Falcon Log Collector participates fully in
fleet management, and receives the configuration of sources and sinks
centrally. In this mode, it's not possible to use the
sources
, sinks
or
settings
fields in the local configuration
file.
This mode is the default when using the enroll command without additional options. The enroll command writes the following snippet in the local configuration:
fleetManagement:
mode: full
url: https://<logscale-cluster>
localConfig
)
In localConfig
, the Falcon Log Collector is enrolled in
fleet management, but only reports to LogScale. Sources and sinks are
configured in the local configuration file as when running without
fleet management enabled. This mode can be selected by the enroll
command by the --mode localConfig
argument. The
enroll command preserves the existing configuration, but replaces the
fleetManagement
block with:
fleetManagement:
mode: localConfig
url: https://<logscale-cluster>
legacy
)
In legacy mode, the Falcon Log Collector is configured using a fleet overview snippet. The Falcon Log Collector sends periodic updates that shows up in the fleet overview. This mode does not support the CPU, memory and disk usage metrics of fleet management.
This mode is not recommended for new installations. The use case of
this mode has been superseded by the new auto enrollment feature with
either full
or localConfig
mode.
autoEnrollment
)
Starting with version 1.7.0 of the Falcon Log Collector, it's now possible to
enter an enrollment token in the configuration file. The Falcon Log Collector
automatically uses this enrollment token to enroll in fleet
management, if it isn't enrolled upon start-up. Using this feature
along with mode localConfig
is a direct replacement
of the legacy fleet overview mode.
This feature is useful when deploying the Falcon Log Collector automatically through a host management platform. Auto enrollment also allows specifying a timeout (ephemeral timeout), where if the LogScale Collector is offline for longer, it will be removed from fleet management.
Example of using auto enrollment:
fleetManagement:
mode: full # or localConfig
url: https://<logscale-cluster>
autoEnrollment:
enrollmentToken: eyJpWxsVG9rZW4iOiJ... # copy the enrollment token from the enroll command
# ephemeralTimeoutHours: 3 # uncomment to automatically remove the Falcon Log Collector after being offline for i.e. 3 hours
The fleet management block supports additional options to control proxy and TLS settings. These options apply to all modes.
ProxyControls which HTTP proxy is used to communicate with LogScale in the fleet management protocol.
Supported values are:
none
: Do not use a proxy.system
: Always use the system proxy.auto
: Attempt to determine the system proxy, fallback to none if proxy discovery failed.A proxy URL: enter a URL such as
http://user:pass@proxyaddress
to use that proxy.
Controls the TLS options that are used to establish a secure connection to LogScale in the fleet management protocol.
Parameter | Type | Default | Description |
---|---|---|---|
insecure | bool | false | Specify if certificate validation is needed, if set to true the certificate validation is skipped. |
caCert | string | "" | Specify this key to load a certificate from the config file. |
Cafile | string | "" | Specify this key to load the PEM certificate from an external. |