Troubleshooting & Execution
The following sections describe methods of troubleshooting your Log Collector instances and some more advanced configuration settings.
You can troubleshoot your Falcon LogScale Collector using the following methods:
Using Environment Variables to log to a Falcon LogScale Repository.
Using Fleet Management Log to Fleet Management Internal Logging to log to a Falcon LogScale Repository.
(run in CLI)
View System Logs
Falcon LogScale Collector can be run as a service and therefore automatically log warnings and errors, the level of the logs (i.e. trace, info, warn) that are logged can be changed through the configuration file, see Configuration Elements.
The logs for services are stored in different logs depending on the Operating System:
If run as a Linux service on systemd Linux installations they are logged in JournalD.
On macOS they are logged in
/var/log/logscale-collector/main.logOn Windows they are logged in Windows event log.
Debug Log
The Falcon LogScale Collector debug log can be sent to a LogScale instance by setting
the HUMIO_DEBUG_LOG_ADDRESS and
HUMIO_DEBUG_LOG_TOKEN environment
variables, note that on Linux the environment variables can be
configured in /etc/default/logscale-collector, while on Windows the
environment variables have to be configured in system properties, for
macOS see
Setting Environment Variables on macOS.
HUMIO_DEBUG_LOG_ADDRESS=https://<your-humio-instance>
HUMIO_DEBUG_LOG_TOKEN=<your-ingest-token>To stop sending the debug log the environment variables need to be undefined.
Debug Environment Variables
| Name | Description | Default |
|---|---|---|
HUMIO_DEBUG_LOG_LEVEL
| You can use this environment variable to set the level of the logs sent to debug log. | Trace |
HUMIO_DEBUG_LOG_ADDRESS
| Required, the address of your LogScale instance. | |
HUMIO_DEBUG_LOG_TOKEN
| Required, specify the ingest token for your repository. | |
HUMIO_DEBUG_LOG_INSECURE
| If true, disables HTTPS certificate verification when sending debug logs. | False |
HUMIO_DEBUG_LOG_CACERT
| Specify a PEM encoded CA certificate to trust when sending debug logs. | |
HUMIO_DEBUG_LOG_CAFILE
| Specify a file containing a PEM encoded CA certificate to trust when sending debug logs. | |
HUMIO_DEBUG_LOG_ALLOW_HTTP
| If true, allows sending debug logs to addresses beginning with http:// | False |
HUMIO_DEBUG_LOG_PROXY
| Specify a proxy to use when sending debug logs. Defaults to auto, which is the system proxy if available. Specify system to use the system proxy or fail, Specify an address such as http://10.1.1.1:3128 to use a specific proxy. | Auto |
Setting Environment Variables on macOS
To set the environment variable on Mac when running the Log Collector as a service, you need to:
Open the LaunchDaemon description file, located in
/Library/LaunchDaemons/com.crowdstrike.logscale-collector.plist.Add the EnvironmentVariables dict with the three variables above the Label key.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>HUMIO_DEBUG_LOG_ADDRESS</key>
<string>https://your-humio-instance</string>
<key>HUMIO_DEBUG_LOG_TOKEN</key>
<string>ingest-token</string>
<key>HUMIO_DEBUG_LOG_LEVEL</key>
<string>trace</string>
</dict>
<key>Label</key>
...Using Console Stderr
The Falcon LogScale Collector sends information to stderr if run from the CLI, the information is sent using JSON format and the detail level is controlled by the log-level. The log-level can be specified using two different approaches (highest priority first):
Using a command line argument:
shell--log-level debugConfiguring a log-level in the configuration file (yaml):
logLevel: debug
The following log-levels are supported:
trace(highest verbosity)debuginfowarnerror(default)fatal
The --log-pretty
command line argument enables pretty-printing of console output for all
logs, it has no effect on logs sent to LogScale, they use JSON format.
Disable Automated Updates
By default, LogScale tries to provide the latest the Falcon LogScale Collector installers, if you have connection issues or the server is not connected to the internet, you may need to disable automatic updates.
LOG_COLLECTOR_UPDATE_SERVER=disabledSet the server setting to
disabledIn this case, updates are disabled. This is useful in air-gapped environments.Not set. In this case, LogScale uses our update server via a URL defined in the code.
Enable HTTP
We strongly encourage all users to use https:// and the
Falcon LogScale Collector enforces using https:// for URLs, however it is
possible to send to http:// addresses by supplying the
command line flag.
--allow-insecure-httpNote
This is only for testing purposes and not supported in production.
Configuring Checkpoints
By default, the configuration file points to the directory
var/lib/logscale-collector as
the storage for checkpoints. To change this setting you can:
Stop the Falcon LogScale Collector service
shell--logscale-collector.serviceDelete the
database.dbfile to reset the state of the installation.Restart the Falcon LogScale Collector service.