Full Falcon LogScale Collector Installation

The documentation provides step-by-step instructions for downloading and installing the Falcon LogScale Collector using curl commands through a full installation process, which is supported from LogScale version 1.136.0 and above. The guide covers operating system compatibility, installation steps through the LogScale User Interface, and essential post-installation tasks including Linux-specific configurations, ingest token generation, and collector configuration.

Available:Full Install v1.136.0

Full Install is the reccomended method of installation and is supported as of LogScale 1.136.0, if you are using a prior version, see Custom Installation for information. This method supports Remote Version Management Manage Versions - Groups and offers full support and enrollment in Fleet Overview.

Before you start the installation procedure see Prerequisities and Sizing for information on sizing and supported operating system for this version of Falcon LogScale Collector.

The following pages detail how to download and install the Log Collector on all the supported operating system using the Full install. Full install provides curl command to install and perform additional post installation configuration based on the operating system selected.

Prerequisites

  1. The Falcon LogScale Collector can be downloaded from the LogScale User Interface by authenticated users. To download the Falcon LogScale Collector go to Data ingest → Falcon LogScale Collector download.

    Download Page

    Figure 1. Download Page


  2. Select Full install. Manage Versions - Groups centrally can only be used if you use Full install.

  3. Follow the steps on the panel:

    1. Select the radio button for the required Falcon LogScale Collector Installation.

    2. Select an enrollment token from the dropdown menu or leave the default.

    3. Copy, paste and run the curl command in the terminal of your machine to download and install Falcon LogScale Collector.

    4. View your instance on Fleet Overview page.

  4. You can now configure your Falcon LogScale Collector, for more information see Configuration.

Full Installation Options

This feature is available as of 1.10.2, when using the full installation command, it's possible to configure parts of the installation via command line options. To add command line options to the installation command, use the following methods:

How to Use Options
Windows/Powershell

For Windows/Powershell, append the options directly to the end of the command: 

& ([scriptblock]::Create((Invoke-RestMethod https://.../api/v1/log-collector/install-collector.ps1 -Method POST -Body "..."))) -Option1 "Value1" -Option2 "Value2"
Linux/macOS

For Linux/macOS, append the following to the sudo bash part, before appending the options: 

-s --

For example: 

... | sudo bash -s -- --Option1 "Value1" --Option2 "Value2"

Without -s -- options will not be passed onto the script.

Options

The following options can be used to configure the installation.

Table: Options

Option Description Option Name Windows Option Name Linux macOS
Set Proxy server

Sets a proxy server that is used by the installer, the update service and the LogScale Collector. The proxy server should be specified using http:// syntax.

If necessary, remember to add a proxy option to the curl command (-x http://...) or Invoke-RestMethod commandlet (-Proxy http://...).

-Proxy --proxy
Set Installation Directory Prefix Overrides the default installation location and instead installs everything under the <prefix>/logscale-collector. -InstallDirPrefix --install-dir-prefix
Set Data Directory Prefix

Overrides the default data directory location and instead stores checkpoints and fleet management token in <prefix>/logscale-collector.

-DataDirPrefix --data-dir-prefix
Enable Capabilities (Linux) Enables AmbientCapabilities DAC_READ_SEARCH and NET_BIND_SERVICE for the LogScale Collector service, granting it read access to any file and the ability to listen on ports <1024. N/A --enable-capabilities