Installing Falcon Logscale Collector on Linux

The OS versions which are officially supported are listed below, but the Log Collector should be compatible with most modern x86-64 systemd based Debian and RHEL type systems, and modern supported Windows distributions.

  • Ubuntu 20.04 LTS (x86-64)

  • RedHat Enterprise Linux 7 & 8 (x86-64)

See Installing Log Collector on Windows for the supported versions of Windows. If you need more information on the Log Collector support for a different operating system or architecture, please get in contact with Humio Support who will note your interest.

Downloading the Log Collector

The Log Collector can be downloaded from the Humio User Interface by authenticated users. To download the Log Collector go to Organization Settings > Log Collector.

Download Page

Figure 249. Download Page


Choose the version of the Log Collector you wish to download. Humio will also generate an example configuration file based on the distribution you chose and the details of your Humio instance.

Installing the Log Collector

Ubuntu

Run the following command to install Falcon Logscale Collector

logscale
$ dpkg -i humio-log-collector_x.x.x_linux_amd64.deb
Granting Access to System Logs on Ubuntu

By default, the humio-log-collector process will run as the humio-log-collector user, which is installed by the package and won't have access to logs in /var/log.

this can be granted by adding the user to the adm group.

logscale
sudo usermod -a -G adm humio-log-collector

Note

Running the Log Collector as the root user is not recommended.

Redhat

Run the following command to install Falcon Logscale Collector

logscale
$ rpm -i humio-log-collector.rpm
Granting Read Access to Logs On RHEL

To access log files in RedHat environments you need to have read rights on the system, you can add the following to your SystemD unit file to grant read access to all files.

logscale
AmbientCapabilities=CAP_DAC_READ_SEARCH
Running the Log Collector Manually

You can run the Log Collector as a standalone process and ignore the service file etc.

logscale
humio-log-collector -cfg config.yaml

The executable humio-log-collector is located in /usr/bin by default.

Configuring Startup on Boot

The package ships with a service file that can be enabled as a SystemD service to run at startup by running:

logscale
sudo systemctl start humio-log-collector.service

And configured to start on boot using:

logscale
sudo systemctl enable humio-log-collector.service
Binding to the Standard Syslog Port

Only root users can bind to port < 1024. To bind to a lower port number you can give special permissions to the humio-log-collector binary.

logscale
sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/humio-log-collector
sudo systemctl restart humio-log-collector

Next Steps

Once you have downloaded and installed Falcon Logscale Collector you need to: