How-To: How to Configure CrowdStream LogScale Destination

Configuring a Crowdstream LogScale destination requires multiple steps.

Set up LogScale Repo / Ingest Token

CrowdStream / Cribl destinations will need a place for data to "go" in LogScale once it's collected:

For data to flow "to" LogScale, first you need to set up a LogScale repo.

  • Within that repo, create an ingest token (LogScale SettingsIngest tokenAdd token)

  • Can leave the parser blank, or can set parser to the default json parser.

  • Make a note of the Ingest URL (if LogScale cluster doesn't show an "ingest url" in the Ingest token section, then use the URL for the LogScale instance). For more information, see LogScale URLs & Endpoints.

  • Make a note of the ingest token value (both will be needed in the CrowdStream / Cribl setup).

Set up CrowdStream / Cribl Destination

  • Log in to your CrowdStream / Cribl instance

    For example, this can be a CrowdStream instance at a customer / POV, or it can be a Cribl eval instance you signed up for (both behave the same)

  • From the main CrowdStream / CriblStream page, click on Manage Stream

  • Click on the Worker Group that will be used.

  • Click Data > Destinations

  • In the upper-right of the screen, click in the Filter Destinations field and search for logscale

    In a net-new setup, one result should display: CrowdStrike Falcon LogScale

  • Click on the CrowdStrike Falcon LogScale tile

    • In the upper-right of the page, click "Add Destination"

    • The following default "New Destination" page displays

  • Update the following fields for a minimum destination configuration

    • Output ID

      Can be any value - this is just a unique name for this LogScale destination config

      For example: dest_repo_zz_macgyver_dev_cribl_o365

    • LogScale Endpoint

      Update the default URL (specifically the How to Configure CrowdStream LogScale Destination url) to be the main .com URL for the LogScale stack with which you are working. For more information, see LogScale URLs & Endpoints.

      • If the LogScale stack has ingest in the URL, use that; if not, use the URL for the main LogScale UI

      • The key is that the "suffix" of the field (after the full https:// URL is set) should be: /api/v1/ingest/hec

    • LogScale Auth token

      Add the Ingest token for the LogScale repo to which data sent to this destination configuration should go

  • Click Save

Deploy Changes in CrowdStream / Cribl

For new updates in CrowdStream / Cribl, when new configurations are added, these must be applied to the CrowdStream / Cribl instance

  • In the upper-right of the CrowdStream / Cribl page, click "Commit & Deploy"

  • In the upper-left of the Git Changes - Group default page that displays, add a comment about the changes to be committed

    Could be Adding new destination to LogScale for example

  • In the lower-right of the "Git Changes - Group default" page that displays, Click "Commit and Deploy"

    After a few moments, status messages should display (in the bottom-right side of screen) indicating the commit and deploy actions were successful

Test Data Routing from CrowdStream / CriblStream to the New LogScale Destination

Setup a Sample Event to Send to the LogScale Destination

  • From the new CrowdStrike Falcon LogScale destination list (Data > Destinations > search for "logscale")

    Click on the new CrowdStream / CriblStream destination (anywhere on the row)

  • In the upper-left side of the destination page, click on the Test menu option

  • In the upper-right side of the page that displays:

    • In the Select worker drop-down, this will typically populate with the single CrowdStream / CriblStream worker that is deployed by default. No changes needed to this option.

    • In the Select sample drop-down, scroll down through the list and select sentinel_syslog

      This option will pop up a small "Test input" section on the left (that auto-updates one of the fields to the current time, so it will show in LogScale)

      Note

      This sample test message can be manually updated - for example, can change the value of the "Computer" field from "CriblStreamWorker" to anything you want

  • In the upper-right of the page, click "Run Test"

    At the bottom of the page, a status message should display. For example:

Verify the Sample Data Shows in LogScale Repo

  • The sample event sent from CrowdStream / CriblStream should now show in the LogScale repo defined as part of the destination setup