Ingesting FDR Data

LogScale can ingest Falcon Data Replicator (FDR) data into LogScale without having to configure log shippers.

Ingesting FDR data can be used with self-cloud LogScale clusters. For cloud customers, please contact the support team.

Important

Non-FDR data should not be ingested into an FDR repository.

To configure FDR ingest:

Contact LogScale sales or your account manager to enable FDR ingest for your organization.
Cluster Configuration
Error Handling

Once the data has been ingested, you can examine the information using Ingest FDR Data.

Getting Insights from FDR Data

Once you have some FDR data ingested into LogScale, you can use the LogScale query language and other assorted features to get a deeper insight into your data.

In addition to containing the FDR parser the crowdstrike/fdr package also contains various queries, dashboards and alerts that can help you get started on getting insights from your FDR data.

Metric

The number of events ingested per feed per repository can be seen in the metric LogScale Metrics.

Falcon LogScale Self-Hosted 1.132.0-1.137.0 (Preview)

Self-Hosted Overview

Installing LogScale

Self-Hosted Admin.

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & Permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis 1.132.0-1.137.0

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts