Manage Groups
Fleet Management allows you to create groups to manage the configurations of a large number of instances with ease. Groups can be created using a simplified version of the LogScale query language which allows you to create dynamic groups where any new collector instance, which is enrolled into the fleet and meets the filters is automatically added.
The configurations that are applied to a group are created by combining one or more configuration snippets, the combined file is validated during the procedure and applied to all the instances in the group.
 |
Figure 7. Group Page
Besides using hostname, system (OS), version, IP address and machine ID in a group definition. Which are all derived automatically by the collector.
Combine Configuration Snippets
When you create a group you can assign multiple configurations to the group to create a complete configuration, without creating duplicated configuration sections.
Let's say for example you need to manage the configuration of 200 instances, where;
115 instances collect data from services and have this combined configuration:
yamlsources: service: type: file include: /var/service/* sink: logscale sinks: logscale: type: humio token: <ingest-token> url: <logscale-base-url> // example - https://cloud.community.humio.com85 instances collect data from var_log and have a combination of the above and another configuration.
yamlsources: var_log: type: file include: /var/log/* sink: logscale service: type: file include: /var/service/* sink: logscale json_log: type: unifiedlog format: json include: - process: securityd predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd' parser: "apple/unifiedlog:unifiedlog-json" sink: logscale sinks: logscale: type: humio token: <ingest-token> url: <logscale-base-url> // example - https://cloud.community.humio.com
In the above case you would create three snippet configurations:
One containing the sinks section:
sinks: logscale: type: humio token: <ingest-token> url: <logscale-base-url> // example - https://cloud.community.humio.comTwo containing the different sources sections:
sources: var_log: type: file include: /var/log/* sink: logscalesources: service: type: file include: /var/service/* sink: logscale
Create a Group
Groups allow you to manage the configuration of multiple instances of the Falcon LogScale Collector along with the possibility to combine configuration snippets to create a configuration which can be applied to all the instances in the group, these features allow you to bulk manage instances.
You can create groups which contain a static list of instances, using, for example, the ID of specific machines or dynamic filters based on a subset of the LogScale query language, see Query Language Syntax for more information on our query language.
Go to your LogScale account and click Data Ingest and select .
Figure 8. Group Page
Click , a pop-up is displayed.
Figure 9. Create Group
Specify a name for the group and search for the configuration or configurations snippets you want to apply to the group.
The files are combined to create a single valid configuration file, where possible, and, any merge conflicts that may occur are displayed on the pop-up. When the resulting configuration meets your requirements click . See Combine Configuration Snippets for more details on snippets.
Figure 10. Create Group Error
Use the filter to query the instances to add to the group, you can use a subset of LogScale Query Language to create a dynamic list of instances, or a more static list, for example by machine ID or version,
version=1.*which will filter for instances running any version which starts with
1.The instances in the group are automatically updated with any new instances that meet the filter criteria.In the screenshot below we match all collectors running on macOS. Click .
Figure 11. Create Group 2
Manage Versions - Groups
You can remotely manage the versions of instances which are part of groups, this allows you to update or rollback sets of LogScale instances from the Groups page.
This feature can only be used for instances which have been installed using the Full install described here Install Falcon LogScale Collector. You can also update specific instances from the fleet overview page Managing Falcon LogScale Collector Versions - Instances.
Go to your LogScale account and click Data Ingest and select . The Group page is displayed.
Click on the three dots next to the group you want to update or rollback and select , the version details pop-up is displayed.
Figure 12. Version Details
Select the radio button next to the version to update or downgrade to, and click .
Note
These options are only available for instances which have been installed using the full install and for specific version on the Falcon LogScale Collector.
Edit a Group
You can edit groups to change:
the name of the group
the configuration/s which are assigned
the instance included in the group (the filter)
Go to your LogScale account and click Data Ingest and select . The Group page is displayed.
Click the three dots next to the group you want to edit and select . The edit pop-up is displayed.
On the first page of the pop-up you can edit the configuration, see Create a Group for details on the configuration or combined configuration for your group. Click to go to the filter page of the pop-up.
On this page you can edit the query filters which are applied to create a group of instances. You can use a subset of the LogScale Query Language to filter for instances. When you edit the query filters of a previously created group the pop-up displays how the changes impact the number of instances in the group. Click .
Figure 13. Edit Group
Delete a Group
You can delete groups when they are no longer required.
Go to your LogScale account and click Data Ingest and select . The Group page is displayed.
Click the three dots next to the group you want to delete and select . The delete pop-up is displayed with details on how many instances deleting the group will effect.