Falcon LogScale Collector

The Falcon LogScale Collector is the native log shipper for LogScale. It can collect and send events to a LogScale repository, using LogScale ingest tokens to route data to the relevant repositories.

Falcon LogScale Collector, available on Linux, macOS and Windows, offers Fleet Management. That allows you to manage centrally multiple instances of LogScale Collector

Falcon LogScale Collector can collect data from several sources: command sources; Windows events; files; Linux systems; syslog; unifiedlog and JournalD sources. It uses @collect.* metadata attached to events, including unique collector ID, hostname, @collect.timestamp, etc.

LogScale Collector buffers in memory, and sends data to LogScale instances based on ingest tokens or environment variables.

It offers a sub-second ingest lag between a line being written and sent to LogScale: this is configurable. It also provides network compression (default is ON), and supports HTTP(S) proxies.

Refer to the following documentation for more information on the LogScale Collector:

Installing LogScale Collector

The headings of the list below are linked to documentation pages that explain how to install LogScale Collector:

Installing the LogScale Collector

Describes how to install LogScale Collector using the full install which is required in order to manage updates remotely.

Custom Installation of LogScale Collector

For details on how to install LogScale Collector using custom methods.

Configuring LogScale Collector

The headings of the list below are linked to documentation pages that explain how to configure LogScale Collector:

Configure LogScale Collector

Falcon LogScale Collector can be configured remotely, or through its configuration files, locally. This linked page describes how to make changes to the configuration.

Configuration Elements

Related to making changes to the configuration file – which is a yaml file – this page lists the configuration elements of which you will need to be aware for proper parsing of the yaml configuration file.

Sources & Examples

By clicking on the heading here, you'll be taken to a page which provides a set of example configuration files and source specific references that you might find useful.

Updates & Other Resources

It's important to keep your software up-to-date, and to keep current on the latest related information. Below are links to documentation to do this:

LogScale Collector Releases

LogScale Collector is still fairly new. There are many improvements that are added and released pretty often. The page linked here provides information on those releases.

Data Sources

LogScale Collector supports several data sources. They're the data points from which the data is collected. Click on the heading here for more information on this.

Sinks

LogScale Collector sends data only to LogScale, making use of proprietary, optimized ingest APIs. Sinks are specifically where the data collected is sent.

Managing Versions - Groups

You can remotely manage the versions of instances which are part of groups, this allows you to update or rollback sets of LogScale instances from the Groups page.

This feature can only be used for instances which have been installed using the Full install described here Installing the LogScale Collector. You can also update specific instances from the fleet overview page Managing LogScale Collector Versions - Instances.

  1. Go to your LogScale account and click Data Ingest and select Groups. The Group page is displayed.

  2. Click on the three dots next to the group you want to update or rollback and select Manage versions, the version details pop-up is displayed.

    Version Details

    Figure 12. Version Details


  3. Select the radio button next to the version to update or downgrade to, and click Update now.

    Note

    These options are only available for instances which have been installed using the full install and for specific version on the LogScale Collector.

Editing a Group

You can edit groups to change:

  • the name of the group

  • the configuration/s which are assigned

  • the instance included in the group (the filter)

  1. Go to your LogScale account and click Data Ingest and select Groups. The Group page is displayed.

  2. Click the three dots next to the group you want to edit and select Edit group. The edit pop-up is displayed.

  3. On the first page of the pop-up you can edit the configuration, see Creating a Group for details on the configuration or combined configuration for your group. Click Next to go to the filter page of the pop-up.

  4. On this page you can edit the query filters which are applied to create a group of instances. You can use a subset of the LogScale Query Language to filter for instances. When you edit the query filters of a previously created group the pop-up displays how the changes impact the number of instances in the group. Click Update group.

    Edit Group

    Figure 13. Edit Group


Deleting a Group

You can delete groups when they are no longer required.

  1. Go to your LogScale account and click Data Ingest and select Groups. The Group page is displayed.

  2. Click the three dots next to the group you want to delete and select Delete group. The delete pop-up is displayed with details on how many instances deleting the group will effect.