Manage Falcon Log Collector Instance Enrollment

Enrolled instances of the Falcon Log Collector are associated with a remote configuration, this means that the instance will no longer use a local configuration and you can manage its configuration file via the Manage Remote Configurations.

To see an overview of all instances and their configurations:

Note

The Enroll Command now stops and starts the service during the enrollment process, this behavior can be skipped by using --no.service flag on the enroll command.

  1. Go to your LogScale account and click Data ingest.

    The Fleet overview page will load with all the Falcon Log Collectors which have been configured for fleet management.

    Tip

    You can also enroll from the Download Page

  2. Click Enrollment tokens on the left menu, a list of all the enrollment tokens and their details are displayed.

Enroll a Falcon Log Collector Instance

The process of creating a new enrollment token associates an instance of Falcon Log Collector to a centrally managed configuration file, see Manage Remote Configurations for more information.

  1. Once you have installed the Falcon Log Collector Install Falcon Log Collector go to Enrollment tokens under Data ingest.

  2. Click + New token and type a name which is easy to identify.

    Create Pop-up

    Figure 34. Create Pop-up


  3. Select a configuration from the Assigned config drop down menu to assign to the instance or instance of Falcon Log Collector.

  4. Click Create token, the token is now visible in the Enrollment tokens page.

    Enrollment Page

    Figure 35. Enrollment Page


  5. If you need to place your data directory at a different path, the --data argument can be provided. The data directory is written to the start-up config.

    Click the eye icon next to the newly generated token, then click the copy icon next to required OS to copy the token to your clipboard. You can add some optional settings to this command, see Enrollment Token Options.

  6. Run the script on the machine where the Falcon Log Collector instance (installation) is present.

Note

The Enroll Command stops and starts the service during the enrollment process, this behavior can be skipped by using

shell
--no-service

flag on the enroll command.

Enroll Existing Falcon Log Collector Instances

You can enroll existing Falcon Log Collector Instances into Fleet management, just for the purposes of monitoring the status of your instances by adding the fleetManagement to the local configuration, see Fleet Management (fleetManagement).

However to take full advantage of Fleet Management you must enroll the configuration in remote configuration management. The following steps guide you through this process:

Important

This procedure will delete the existing configuration .yaml file being used by the instances of Falcon Log Collector.

  1. If you do not already have a configuration in remote configuration for the instances or instances, you can import an existing configuration or create a new configuration as described here: Create a Remote Configuration, if your are importing a local configuration file you may need to remove some local only sections which will be underlined by the editor.

  2. Go to Enrollment tokens under Data ingest.

  3. Click + New token and type a name which is easy to identify.

    Create Pop-up

    Figure 36. Create Pop-up


  4. Select the configuration you created from the Assigned config drop down menu to assign to the instance or instance of Falcon Log Collector.

  5. Click Create token, the token is now visible in the Enrollment tokens page.

    Enrollment Page

    Figure 37. Enrollment Page


  6. Click the eye icon next to the newly generated token, then click the copy icon next to required OS to copy the token to your clipboard. You can add some optional settings to this command, see Enrollment Token Options .

  7. Run the script on the machine where the Falcon Log Collector instance (installation) is present.

Edit an Enrollment Token

The edit feature allows you to change the name of a token and switch the configuration assigned to an instance.

  1. Go to the Data ingest tab and click Enrollment tokens.

  2. Click the ellipsis icon next to the token you want to change and select Edit config.

  3. Edit the name and/or change the assigned configuration by selecting a configuration file from the Assigned config drop down menu.

    Edit Pop-up

    Figure 38. Edit Pop-up


  4. Click Save.

Enrollment Token Options

You can set some options related to the configuration when running the enrollment command.

Option Description Default Value / Behavior
--allow-insecure-http

Enable use of http:// addresses, see Enable HTTP.

Not allowed
--allow-remote-cmd

Enable allows the use of CMD sources when using remote configuration

Not allowed
--ca-cert mycert

Use CA root certificate from argument. this can be used with a PEM encoded value, the certificate will be encoded in the start-up configuration. For example

--ca-cert "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----

N/A
--ca-file mycertfile

Use CA root certificate from file argument and point to a certificate file on disk. The path to the file should be absolute and readable by the service user. The file will be read on each start of the Falcon Log Collector. Example:--ca-file "/opt/ca.crt"

N/A
--cfg myfilepath This options allows you to specify a custom configuration file location. The enrollment command overwrites the local file with a start-up remote configuration. If your service used a configuration on a different path, the --cfg argument can be used to place the configuration in a different path. The argument only affects the path to where the start-up configuration is written, it does not alter the SystemD or Windows service entry. by default the following paths are used:
  • Linux

    /etc/logscale-collector/config.yaml

    /etc/humio-log-collector/config.yaml

  • Windows

    C:\Program Files (x86)\CrowdStrike\Humio Log Collector\config.yaml

  • macOS

    /usr/local/etc/logscale-collector/config.yaml

--data mydatadirectory

This option can be used to specify a custom datadirectory which is then written to the start-up configuration.

by default the following paths are used:
  • Linux

    /var/lib/logscale-collector

  • Windows

    C:\ProgramData\LogScale Collector

  • macOS

    /var/local/logscale-collector

--ephemeralTimeout mytimeoutinhours If set the collector will be unenrolled and disappear from the fleetoverview if it has been offline for the specified duration in hours N/A
-h or --help Prints list of command options that can be used for enroll. N/A
--mode mymode

Mode of enrollment, can be "full" or "localConfig" where:

  • full (default): Will enroll into Fleet Management with configuration of the log sources stored and managed centrally in LogScale.

  • localConfig: Will enroll into Fleet Management with configuration of the log sources managed and stored locally on the host in a local yaml-file. Fleet overview including metrics from the Collector will still be available.

Full
--no-check-certificate

Skip TLS certificate validation. Allows insecure connections.

Validation is performed.
--no-permissions

Data directory permissions will not be changed. This option is only relevant for Linux. It will prevent the command from changing data directory permissions to align with the standard service user.

It should not be used for normal deployments, and is only relevant if for some reason the standard service user is not desired to be used to run the collector.

Changes are made to the permissions of the datadirectory.
--no-service The Enroll Command now stops and starts the service during the enrollment process, this behavior can be omitted by using this option. The service stops and starts when the command has run.
--proxy myproxy

Proxy to use for fleet management where the possible values are:

  • auto - which will try to determine the system proxy or fallback to none.

  • system - will attempt to use the system proxy and fail if it cannot be determined.

  • none - for Windows Server or you can specify, if required, an override proxy configuration for the sink.

  • a URL such as: http://127.0.0.1:3129 for a http proxy.

If your setup requires a proxy to communicate with LogScale, it can be configured using the --proxy followed by the proxy.

Auto,
--timeout duration

Timeout of the command. If the processing of the command takes longer than duration, the command will fail and exit. This could be caused by e.g. network timeout. Possible values are either 0 or a duration using a format with units e.g. :0: no timeout,1m30s

Default is 1m0s.

Delete Enrollment Token
  1. Go to the Data ingest tab and click Enrollment tokens.

  2. Click the ellipsis icon next to the token you want to change and select Delete config.

  3. Click Delete config to confirm.

    Delete Pop-up

    Figure 39. Delete Pop-up