Falcon LogScale Collector
The Falcon LogScale Collector is the native log shipper for LogScale. It can collect and send events to a LogScale repository, using LogScale ingest tokens to route data to the relevant repositories.
Falcon LogScale Collector, available on Linux, macOS and Windows can be managed centrally through Fleet Management, enabling you to centrally manage multiple instances of Falcon LogScale Collector from within LogScale.
Falcon LogScale Collector can collect data from several sources:
command sources;
Windows events
files
Linux systems
syslog
unifiedlog
JournalD sources
It uses @collect.* metadata
attached to events, including unique collector
ID,
hostname,
@collect.timestamp, etc.
Falcon LogScale Collector buffers in memory, and sends data to LogScale instances based on ingest tokens or environment variables.
It offers a sub-second ingest lag between a line being written and sent to LogScale: this is configurable. It also provides network compression (default is ON), and supports HTTP(S) proxies.
Refer to the following documentation for more information on the Log Collector:
Installing Falcon LogScale CollectorThe headings of the list below are linked to documentation pages that explain how to install Falcon LogScale Collector:
Install Falcon LogScale Collector
Describes how to install Falcon LogScale Collector using the full install which is required in order to manage updates remotely.
Download and Install Falcon LogScale Collector using Installers (Custom Install)
For details on how to install Falcon LogScale Collector using custom methods.
The headings of the list below are linked to documentation pages that explain how to configure Falcon LogScale Collector:
Configure Falcon LogScale Collector
Falcon LogScale Collector can be configured remotely, or through its configuration files, locally. This linked page describes how to make changes to the configuration.
Related to making changes to the configuration file – which is a yaml file – this page lists the configuration elements of which you will need to be aware for proper parsing of the yaml configuration file.
By clicking on the heading here, you'll be taken to a page which provides a set of example configuration files and source specific references that you might find useful.
It's important to keep your software up-to-date, and to keep current on the latest related information. Below are links to documentation to do this:
Falcon LogScale Collector Releases
Falcon LogScale Collector is still fairly new. There are many improvements that are added and released pretty often. The page linked here provides information on those releases.
Falcon LogScale Collector supports several data sources. They're the data points from which the data is collected. Click on the heading here for more information on this.
Falcon LogScale Collector sends data only to LogScale, making use of proprietary, optimized ingest APIs. Sinks are specifically where the data collected is sent.
Log Collector Metadata
Each event has some metadata attached to it on ingestion; all metadata fields start with @ to make them easy to identify. All events will contain the following metadata fields by default.
| Metadata Field | Description |
|---|---|
| @collect.host | Name of the ingesting host |
| @collect.id | Unique ID of the collector |
| @collect.timezone | Timezone |
| @collect.timestamp | Timestamp |
| @collect.source_name | Name of the source. |
| @collect.source_type | (e.g. cmd, file, journald, syslog, syslog_tls, unifiedlog, wineventlog) |
| @collect.error | Error occurred while collecting data, e.g. wineventlog: could not parse names for event data. |
The following additional metadata fields are source specific.
| Source | Metadata Field | Description |
|---|---|---|
journald
| @collect.unit | Name of the unit, e.g. ntp.service |
file
| @collect.file | File name from where the event is collected. |
wineventlog
| @collect.channel | Channel of the collected event. |
syslog
| @collect.remote | Remote IP address and port. |
| @collect.socket | Local socket e.g. :514/UDP | |
command
| @collect.cmd | The command which is executed. |
| @collect.pid | The PID of the executed command | |
| @collect.stream | The output stream of the executed command, stdout or stderr. |