Troubleshooting & Execution

The following sections describe methods of troubleshooting your LogScale Collector instances and some more advanced configuration settings.

You can troubleshoot your Falcon Log Collector using the following methods:

View System Logs

Falcon Log Collector can be run as a service and therefore automatically log warnings and errors, the level of the logs (i.e. trace, info, warn) that are logged can be changed through the configuration file, see Configuration Elements.

The logs for services are stored in different logs depending on the Operating System:

  • If run as a Linux service on systemd Linux installations they are logged in JournalD.

  • On macOS they are logged in /var/log/logscale-collector/main.log

  • On Windows they are logged in Windows event log.

Debug Log

The Falcon Log Collector debug log can be sent to a LogScale instance by setting the HUMIO_DEBUG_LOG_ADDRESS and HUMIO_DEBUG_LOG_TOKEN environment variables, note that on Linux the environment variables can be configured in /etc/default/logscale-collector, while on Windows the environment variables have to be configured in system properties, for macOS see Setting Environment Variables on macOS.

ini
HUMIO_DEBUG_LOG_ADDRESS=https://<your-humio-instance>
HUMIO_DEBUG_LOG_TOKEN=<your-ingest-token>

To stop sending the debug log the environment variables need to be undefined.

Debug Environment Variables

Name Description Default
HUMIO_DEBUG_LOG_LEVEL You can use this environment variable to set the level of the logs sent to debug log. Trace
HUMIO_DEBUG_LOG_ADDRESS Required, the address of your LogScale instance.  
HUMIO_DEBUG_LOG_TOKEN Required, specify the ingest token for your repository.  
HUMIO_DEBUG_LOG_INSECURE If true, disables HTTPS certificate verification when sending debug logs. False
HUMIO_DEBUG_LOG_CACERT Specify a PEM encoded CA certificate to trust when sending debug logs.  
HUMIO_DEBUG_LOG_CAFILE Specify a file containing a PEM encoded CA certificate to trust when sending debug logs.  
HUMIO_DEBUG_LOG_ALLOW_HTTP If true, allows sending debug logs to addresses beginning with http:// False
HUMIO_DEBUG_LOG_PROXY Specify a proxy to use when sending debug logs. Defaults to auto, which is the system proxy if available. Specify system to use the system proxy or fail, Specify an address such as http://10.1.1.1:3128 to use a specific proxy. Auto

Setting Environment Variables on macOS

To set the environment variable on Mac when running the LogScale Collector as a service, you need to:

  1. Open the LaunchDaemon description file, located in /Library/LaunchDaemons/com.crowdstrike.logscale-collector.plist.

  2. Add the EnvironmentVariables dict with the three variables above the Label key.

xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>HUMIO_DEBUG_LOG_ADDRESS</key>
        <string>https://your-humio-instance</string>
        <key>HUMIO_DEBUG_LOG_TOKEN</key>
        <string>ingest-token</string>
        <key>HUMIO_DEBUG_LOG_LEVEL</key>
        <string>trace</string>
   </dict>
    <key>Label</key>
...

Using Console Stderr

The Falcon Log Collector sends information to stderr if run from the CLI, the information is sent using JSON format and the detail level is controlled by the log-level. The log-level can be specified using two different approaches (highest priority first):

  • Using a command line argument:

    shell
    --log-level debug

  • Configuring a log-level in the configuration file (yaml):logLevel: debug

The following log-levels are supported:

  • trace (highest verbosity)

  • debug

  • info

  • warn

  • error (default)

  • fatal

The --log-pretty command line argument enables pretty-printing of console output for all logs, it has no effect on logs sent to LogScale, they use JSON format.

Disable Automated Updates

By default, LogScale tries to provide the latest the Falcon Log Collector installers, if you have connection issues or the server is not connected to the internet, you may need to disable automatic updates.

LOG_COLLECTOR_UPDATE_SERVER=disabled
  • Set the server setting to disabled In this case, updates are disabled. This is useful in air-gapped environments.

  • Not set. In this case, LogScale uses our update server via a URL defined in the code.

Enable HTTP

We strongly encourage all users to use https:// and the Falcon Log Collector enforces using https:// for URLs, however it is possible to send to http:// addresses by supplying the command line flag.

bash
--allow-insecure-http

Note

This is only for testing purposes and not supported in production.

Configuring Checkpoints

By default, the configuration file points to the directory var/lib/logscale-collector as the storage for checkpoints. To change this setting you can:

  1. Stop the Falcon Log Collector service

    shell
    --logscale-collector.service
  2. Delete the database.db file to reset the state of the installation.

  3. Restart the Falcon Log Collector service.