Install Falcon Log Collector on Linux - Custom

Important

The name of the Falcon Log Collector service varies:

This procedure describes how to perform a custom installation of the Falcon Log Collector on a Linux.

  1. Download the Falcon Log Collector as described in Download Falcon Log Collector - Custom or using the command-line, see Download Installers from the Command-line.

  2. Run the following command to install Falcon Log Collector on:

    • Ubuntu

      shell
      sudo dpkg -i humio-collector_x.x.x_linux_amd64.deb
    • RedHat

      shell
      $ sudo rpm -i humio-collector.rpm
Run the Falcon Log Collector Manually on Linux

The following procedures allow you to install Falcon Log Collector on Linux manually.

Note

Create a valid configuration before running the LogScale Collector, see Configure Falcon Log Collector for more information.

Configure Start-up on Boot

The package ships with a service file that can be enabled as a SystemD service to run at start-up by running:

shell
$ sudo systemctl enable humio-log-collector.service
Additional Steps on Linux
Add Permissions to the Falcon Log Collector User

By default, the Falcon Log Collector process will run as the user humio-log-collector. This user likely does not have access to a majority of the log files in the /var/log directory. The user can be added to the adm group, which generally allows read permissions on these files.

$ sudo usermod -a -G adm humio-log-collector
Allow Access to All Files on the Filesystem

The following capabilities can be added to the Falcon Log Collector process to grant access to all files on the filesystem.

Important

This provides broad access to all system files and therefore is not recommend for anything other than testing purposes

  1. Edit the systemMD unit:

    $ sudo vi /usr/lib/systemd/system/humio-log-collector.service
  2. Add the following line below the [Service] section.

    AmbientCapabilities = CAP_DAC_READ_SEARCH

  3. Reload the unit files, restart the process, and view the status

    $ sudo systemctl daemon-reload
    $ sudo systemctl restart humio-log-collector.service
    $ sudo systemctl status humio-log-collector.service --no-pager -l
  4. We recommend using specific access permissions to files or using ACLs, for example access systemd journal can be granted using the following:

    $ sudo usermod -a -G systemd-journal humio-log-collector
Binding to the Standard Syslog Port

Only root users can bind to port < 1024. To bind to a lower port number you can give special permissions to the logscale-collector binary.

shell
$ sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/humio-log-collector
$ sudo systemctl restart humio-log-collector
Firewall Configuration

If a firewall has been configured on your system it may interfere with the sending of Syslog data. The firewall configuration will need to be updated to allow the default syslog port, 1515, through the firewall.

On RedHat or Debian Linux installations this can be achieved using the command:

shell
$ sudo firewall-cmd --add-port=1515/tcp  --permanent

Other Linux installations may need a different configuration.

Run the Falcon Log Collector Manually for Debugging

You can run the Falcon Log Collector as a standalone process and ignore the service file etc for test purposes.

  1. Run one of the following commands:

    Note

    Make sure the dataDirectory value in config.yaml exists - default: dataDirectory: /var/lib/humio-log-collector

    • Run the following command to view errors:

      shell
      sudo -u humio-log-collector humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level error --log-pretty
    • Run the following to view all debug information:

      shell
      sudo -u humio-log-collector -- humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level debug --log-pretty
  2. When all changes complete, type <CTRL>+<C> to cancel the manually-run LogCollector in debug mode.

  3. Re-start the LogCollector with the following command:

    shell
    sudo systemctl start humio-log-collector.service

    and If prompted, enter the sudo password

  4. Check the status of the LogCollector service:

    shell
    sudo systemctl status humio-log-collector.service

The executable humio-log-collector is located in /usr/bin by default.