How-To: How to Configure CrowdStream LogScale Destination

CrowdStream / Cribl destinations will need a place for data to "go" in LogScale once it's collected:

For data to flow "to" LogScale, first you need to set up a LogScale repo.

Within that repo, create an ingest token (LogScale Settings → Ingest token → Add token)
Can leave the parser blank, or can set parser to the default json parser.
Make a note of the Ingest URL (if LogScale cluster doesn't show an "ingest url" in the Ingest token section, then use the URL for the LogScale instance). For more information, see LogScale URLs & Endpoints.
Make a note of the ingest token value (both will be needed in the CrowdStream / Cribl setup).

Log in to your CrowdStream / Cribl instance
For example, this can be a CrowdStream instance at a customer / POV, or it can be a Cribl eval instance you signed up for (both behave the same)
From the main CrowdStream / CriblStream page, click on Manage Stream
Click on the Worker Group that will be used.
Click Data > Destinations
In the upper-right of the screen, click in the Filter Destinations field and search for logscale
In a net-new setup, one result should display: CrowdStrike Falcon LogScale
Click on the CrowdStrike Falcon LogScale tile
- In the upper-right of the page, click "Add Destination"
- The following default "New Destination" page displays
Update the following fields for a minimum destination configuration
- Output ID
  Can be any value - this is just a unique name for this LogScale destination config
  For example: dest_repo_zz_macgyver_dev_cribl_o365
- LogScale Endpoint
  Update the default URL (specifically the How to Configure CrowdStream LogScale Destination url) to be the main .com URL for the LogScale stack with which you are working. For more information, see LogScale URLs & Endpoints.
  - If the LogScale stack has ingest in the URL, use that; if not, use the URL for the main LogScale UI
  - The key is that the "suffix" of the field (after the full https:// URL is set) should be: /api/v1/ingest/hec
- LogScale Auth token
  Add the Ingest token for the LogScale repo to which data sent to this destination configuration should go
Click Save

For new updates in CrowdStream / Cribl, when new configurations are added, these must be applied to the CrowdStream / Cribl instance

In the upper-right of the CrowdStream / Cribl page, click "Commit & Deploy"
In the upper-left of the Git Changes - Group default page that displays, add a comment about the changes to be committed
Could be “Adding new destination to LogScale” for example
In the lower-right of the "Git Changes - Group default" page that displays, Click "Commit and Deploy"
After a few moments, status messages should display (in the bottom-right side of screen) indicating the commit and deploy actions were successful

Setup a Sample Event to Send to the LogScale Destination

From the new CrowdStrike Falcon LogScale destination list (Data > Destinations > search for "logscale")
Click on the new CrowdStream / CriblStream destination (anywhere on the row)
In the upper-left side of the destination page, click on the Test menu option
In the upper-right side of the page that displays:
- In the Select worker drop-down, this will typically populate with the single CrowdStream / CriblStream worker that is deployed by default. No changes needed to this option.
- In the Select sample drop-down, scroll down through the list and select sentinel_syslog
  This option will pop up a small "Test input" section on the left (that auto-updates one of the fields to the current time, so it will show in LogScale)
  Note
  This sample test message can be manually updated - for example, can change the value of the "Computer" field from "CriblStreamWorker" to anything you want
In the upper-right of the page, click "Run Test"
At the bottom of the page, a status message should display. For example: