Configuring LogScale Collector

The Falcon LogScale Collector configuration can be managed either:

Creating a Configuration - Fleet Management

These steps explain how to configure the LogScale Collector for remote management using the Config overview page to ship data to LogScale. See LogScale Collector Fleet Management for information on remote configuration

  1. Go toFleet Management tab and click Config overview.

    Fleet Overview

    Figure 290. Fleet Overview


  2. The Config overview page is displayed, click + New Config.

    Config Overview

    Figure 291. Config Overview


  3. Type the name for your new configuration and click either:

    • Create New - creates a new configuration from scratch .

    • Create from template and browse for a previously exported or manually created configuration file (.yaml).

  4. The Config Editor is displayed which allows you to make change to your config file.

    Config Editor

    Figure 292. Config Editor


  5. Edit the file and specify the fields, note that you can only edit the sections: sources, sinks and settings, described in Sources and Examples or you can try out data ingestion by specifying:

    • under sources you must specify type and include

    • remotely in a managed mode which provides a set of functionalties to centrally manage your configurations and assign a single configuration to multiple instances, see Creating a Configuration - Fleet Management for more information on remote configuration creation.

      The editor helps by underlining incorrectly positioned entities (incorrect level) or misspelled and by autocompleting entities when you are inserting new entities, additionally you can hover-over entities for useful tips and information.

    The editor helps by underlining incorrectly positioned entities (incorrect level) or misspelled and by autocompleting entities when you are inserting new entities, additionally you can hover-over entities for useful tips and information.

  6. Optionally, Click the settings cog to view the Basic Settings to manage additional settings, like description and name and to assign instances to the configuration or manage a test draft, see Figure 306, “Basic information”for more information.

    • Click Save as draft to save the changes without publishing.

    • Click Start test to test a draft on a set of instance which you can choose in the next step, see Figure 313, “Test status”

    • Click Publish config to save the changes and publish them to all the instances which are using the config.

    and restart the service.

    logscale
    sudo systemctl restart humio-log-collector.service

Creating a Configuration - Local

The following steps describe how to edit the configuration file in the case of local management, this can only be used for instances that have not been enrolled, see Managing LogScale Collector Instance Enrollment for more information. If you want to create a remote configuration file see Creating a Configuration - Fleet Management.

  1. Open the file config.yaml to edit using the editor of your choice, for example on Linux:

    logscale
    sudo vi /etc/humio-log-collector/config.yaml

    The file can be found in:

    • Linux

      /etc/humio-log-collector/config.yaml

    • Windows

      C:\\Program Files (x86)\\CrowdStrike\\Humio Log Collector\\config.yaml

  2. Edit the file and specify the fields and values described in Sources and Examples or you can try out data ingestion by specifying:

    • under sources you must specify type and include

    • under sinks you must specify type, token and url

  3. Once you have finished making changes save the file and restart the service.

    logscale
    sudo systemctl restart humio-log-collector.service

Additional environment variables can be configured in this file /etc/default/humio-log-collector. on Linux. On Windows the environment variables have to be configured in system properties