Install Falcon Log Collector on Linux - Custom
Important
The name of the Falcon Log Collector service varies:
If you use Download and Install Falcon Log Collector Using Curl Commands(Full Install) the service is called
logscale-collector
,If you installed using Download and Install Falcon Log Collector using Installers (Custom Install) or a version prior to 1.361.1 of LogScale the service name is
humio-log-collector
This does not apply to macOS.
This procedure describes how to perform a custom installation of the Falcon Log Collector on a Linux.
Download the Falcon Log Collector as described in Download Falcon Log Collector - Custom or using the command-line, see Download Installers from the Command-line.
Run the following command to install Falcon Log Collector on:
Ubuntu
shellsudo dpkg -i humio-collector_x.x.x_linux_amd64.deb
RedHat
shell$ sudo rpm -i humio-collector.rpm
Run the Falcon Log Collector Manually on Linux
The following procedures allow you to install Falcon Log Collector on Linux manually.
Note
Create a valid configuration before running the LogScale Collector, see Configure Falcon Log Collector for more information.
Configure Start-up on Boot
The package ships with a service file that can be enabled as a SystemD service to run at start-up by running:
$ sudo systemctl enable humio-log-collector.service
Additional Steps on Linux
Add Permissions to the Falcon Log Collector User
By default, the Falcon Log Collector process will run as the user
humio-log-collector. This user likely does not have access to a
majority of the log files in the
/var/log
directory. The
user can be added to the adm group, which generally allows read
permissions on these files.
$ sudo usermod -a -G adm humio-log-collector
Allow Access to All Files on the Filesystem
The following capabilities can be added to the Falcon Log Collector process to grant access to all files on the filesystem.
Important
This provides broad access to all system files and therefore is not recommend for anything other than testing purposes
Run the following command to open an editor for creating an override file:
$ sudo systemctl edit humio-log-collector.service
In the editor, add the following lines:
[Service] AmbientCapabilities=CAP_DAC_READ_SEARCH
Save and close the editor. This will create an override file in
/etc/systemd/system/humio-log-collector.service.d/
without modifying the original service file.Reload the systemd manager configuration:
$ sudo systemctl daemon-reload
Restart the service to apply the changes:
$ sudo systemctl restart humio-log-collector.service
Binding to Lower Port Numbers (below 1024)
To allow the Falcon Log Collector to bind to port numbers below 1024 without running as root, you can use an override file to set the appropriate capability. Follow these steps:
Create or edit an override file for the systemd unit:
$ sudo systemctl edit humio-log-collector.service
In the editor, add the following lines:
[Service] AmbientCapabilities=CAP_NET_BIND_SERVICE
Save and close the editor.
Reload the systemd manager configuration:
$ sudo systemctl daemon-reload
Restart the service to apply the changes:
$ sudo systemctl restart humio-log-collector.service
This method sets the CAP_NET_BIND_SERVICE capability for the Falcon Log Collector process, allowing it to bind to ports below 1024 without needing root privileges. The capability is applied through systemd.
Firewall Configuration
If a firewall has been configured on your system it may interfere with the sending of Syslog data. The firewall configuration will need to be updated to allow the default syslog port, 1515, through the firewall.
On RedHat or Debian Linux installations this can be achieved using the command:
$ sudo firewall-cmd --add-port=1515/tcp --permanent
Other Linux installations may need a different configuration.
Run the Falcon Log Collector Manually for Debugging
You can run the Falcon Log Collector as a standalone process and ignore the service file etc for test purposes.
Run one of the following commands:
Note
Make sure the dataDirectory value in config.yaml exists - default:
dataDirectory: /var/lib/humio-log-collector
Run the following command to view errors:
shellsudo -u humio-log-collector humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level error --log-pretty
Run the following to view all debug information:
shellsudo -u humio-log-collector -- humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level debug --log-pretty
When all changes complete, type <CTRL>+<C> to cancel the manually-run LogCollector in debug mode.
Re-start the LogCollector with the following command:
shellsudo systemctl start humio-log-collector.service
and If prompted, enter the sudo password
Check the status of the LogCollector service:
shellsudo systemctl status humio-log-collector.service
The executable humio-log-collector is located
in /usr/bin
by default.