Manage Groups

Fleet Management allows you to create groups to manage the configurations of a large number of instances with ease. Groups can be created using a simplified version of the LogScale query language which allows you to create dynamic groups where any new collector instance, which is enrolled into the fleet and meets the filters is automatically added.

The configurations that are applied to a group are created by combining one or more configuration snippets, the combined file is validated during the procedure and applied to all the instances in the group.

Group Page

Figure 7. Group Page


Besides using hostname, system (OS), version, IP address and machine ID in a group definition. Which are all derived automatically by the collector.

Combine Configuration Snippets

When you create a group you can assign multiple configurations to the group to create a complete configuration, without creating duplicated configuration sections.

Let's say for example you need to manage the configuration of 200 instances, where;

  • 115 instances collect data from services and have this combined configuration:

    yaml
    sources:
       service:
         type: file
         include: /var/service/*
         sink: logscale
    
      sinks:
        logscale:
          type: humio
          token: <ingest-token>
          url: <logscale-base-url> // example - https://cloud.community.humio.com

  • 85 instances collect data from var_log and have a combination of the above and another configuration.

    yaml
    sources:
      var_log:
        type: file
        include: /var/log/*
        sink: logscale
       service:
         type: file
         include: /var/service/*
         sink: logscale
        
      json_log:
        type: unifiedlog
        format: json
        include:
          - process: securityd
           predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
        parser: "apple/unifiedlog:unifiedlog-json"
        sink: logscale
    
      sinks:
        logscale:
          type: humio
          token: <ingest-token>
          url: <logscale-base-url> // example - https://cloud.community.humio.com

In the above case you would create three snippet configurations:

  • One containing the sinks section:

    sinks:
        logscale:
          type: humio
          token: <ingest-token>
          url: <logscale-base-url> // example - https://cloud.community.humio.com

  • Two containing the different sources sections:

    sources:
      var_log:
        type: file
        include: /var/log/*
        sink: logscale

    sources:
       service:
         type: file
         include: /var/service/*
         sink: logscale

Create a Group

Groups allow you to manage the configuration of multiple instances of the Falcon Log Collector along with the possibility to combine configuration snippets to create a configuration which can be applied to all the instances in the group, these features allow you to bulk manage instances.

You can create groups which contain a static list of instances, using, for example, the ID of specific machines or dynamic filters based on a subset of the LogScale query language, see Query Language Syntax for more information on our query language.

  1. Go to your LogScale account and click Data Ingest and select Groups.

    Group Page

    Figure 8. Group Page


  2. Click + New group, a pop-up is displayed.

    Create Group

    Figure 9. Create Group


  3. Specify a name for the group and search for the configuration or configurations snippets you want to apply to the group.

    The files are combined to create a single valid configuration file, where possible, and, any merge conflicts which may occur are displayed on the pop-up. When the resulting configuration meets your requirements click Next. See Combine Configuration Snippets for more details on snippets.

    Create Group Error

    Figure 10. Create Group Error


  4. Use the filter to query the instances to add to the group, you can use a subset of LogScale Query Language to create a dynamic list of instances, or a more static list, for example by machine ID or version,

    version=1.*

    which will filter for instances running any version which starts with 1. The instances in the group are automatically updated with any new instances that meet the filter criteria.

    In the screenshot below we match all collectors running on macOS. Click Create group.

    Create Group 2

    Figure 11. Create Group 2


Manage Versions - Groups

You can remotely manage the versions of instances which are part of groups, this allows you to update or rollback sets of LogScale instances from the Groups page.

This feature can only be used for instances which have been installed using the Full install described here Install Falcon Log Collector. You can also update specific instances from the fleet overview page Managing Falcon Log Collector Versions - Instances.

  1. Go to your LogScale account and click Data Ingest and select Groups. The Group page is displayed.

  2. Click on the three dots next to the group you want to update or rollback and select Manage versions, the version details pop-up is displayed.

    Version Details

    Figure 12. Version Details


  3. Select the radio button next to the version to update or downgrade to, and click Update now.

    Note

    These options are only available for instances which have been installed using the full install and for specific version on the Falcon Log Collector.

Edit a Group

You can edit groups to change:

  • the name of the group

  • the configuration/s which are assigned

  • the instance included in the group (the filter)

  1. Go to your LogScale account and click Data Ingest and select Groups. The Group page is displayed.

  2. Click the three dots next to the group you want to edit and select Edit group. The edit pop-up is displayed.

  3. On the first page of the pop-up you can edit the configuration, see Create a Group for details on the configuration or combined configuration for your group. Click Next to go to the filter page of the pop-up.

  4. On this page you can edit the query filters which are applied to create a group of instances. You can use a subset of the LogScale Query Language to filter for instances. When you edit the query filters of a previously created group the pop-up displays how the changes impact the number of instances in the group. Click Update group.

    Edit Group

    Figure 13. Edit Group


Delete a Group

You can delete groups when they are no longer required.

  1. Go to your LogScale account and click Data Ingest and select Groups. The Group page is displayed.

  2. Click the three dots next to the group you want to delete and select Delete group. The delete pop-up is displayed with details on how many instances deleting the group will effect.