Installing LogScale Collector on Linux

The OS versions which are officially supported are listed below, but the LogScale Collector should be compatible with most modern x86-64 systemd based Debian and RHEL type systems and ARM 64 systems.

Downloading the LogScale Collector

The LogScale Collector can be downloaded from the LogScale User Interface by authenticated users. To download the LogScale Collector go to Data ingest> LogScale Collector download.

For information on downloading the installer through the command-line, see Downloading Installers from the Command-line.

Download Page

Figure 1. Download Page


Choose the version of the LogScale Collector you wish to download and then follow the instructions for the corresponding operating system to complete the installation.

Installing LogScale Collector on Ubuntu
  1. Run the following command to install Falcon LogScale Collector.

    shell
    $ dpkg -i humio-log-collector_x.x.x_linux_amd64.deb
  2. You can now grant access to system logs, By default, the humio-log-collector process will run as the humio-log-collector user, which is installed by the package and won't have access to logs in /var/log. This can be granted by adding the user to the adm group.

    this can be granted by adding the user to the adm group.

    shell
    $ sudo usermod -a -G adm humio-log-collector

    Note

    Running the LogScale Collector as the root user is not recommended.

Installing LogScale Collector on Redhat
  1. Run the following command to install Falcon LogScale Collector

    shell
    $ rpm -i humio-log-collector.rpm
  2. To access log files in RedHat you need to have read rights on the system, you can add the following to your SystemD unit file to grant read access to all files.

    Important

    Tthis provides broad access to all system files and therefore is not recommend for anything other than testing purposes.

    ini
    AmbientCapabilities = CAP_DAC_READ_SEARCH;

    We recommend using specific access permissions to files or using ACLs, for example access systemd journal can be granted using the following:

    shell
    $ sudo usermod -a -G systemd-journal humio-log-collector
Firewall Configuration

If a firewall has been configured on your system it may interfere with the sending of Syslog data. The firewall configuration will need to be udpated to allow the default syslog port, 1515, throught he firewall.

On RedHat or Debian Linux installations this can be achieved using the command:

shell
$ sudo firewall-cmd --add-port=1515/tcp  --permanent

Other Linux installations may need a different configuration.

Binding to the Standard Syslog Port

Only root users can bind to port < 1024. To bind to a lower port number you can give special permissions to the humio-log-collector binary.

shell
$ sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/humio-log-collector
$ sudo systemctl restart humio-log-collector
Next Steps

Once you have downloaded and installed Falcon LogScale Collector you need to:

Running the LogScale Collector Manually on Linux

The following procedures allow you to install LogScale Collector on Linux manually.

Running the LogScale Collector Manually

You can run the LogScale Collector as a standalone process and ignore the service file etc.

shell
humio-log-collector -cfg /etc/humio-log-collector/config.yaml

The executable humio-log-collector is located in /usr/bin by default.

Configuring Start-up on Boot

The package ships with a service file that can be enabled as a SystemD service to run at start-up by running:

shell
$ sudo systemctl start humio-log-collector.service

And configured to start on boot using:

shell
$ sudo systemctl enable humio-log-collector.service