CrowdStrike Falcon LogScale
Overview
You can send logs to CrowdStrike Falcon LogScale via HTTP using the HEC by performing POST requests using our HTTP Data sink.
Data sink configuration
To start sending data to CrowdStrike Falcon LogScale, follow these steps:
Create a new HTTP Data sink. To do it, go to Data sinks > New Data sink and double-click HTTP.
Give your Data sink a Name and, optionally, add a Description and some Tags. Click Finish when you're done.
Fill the following parameters as follows:
HTTP method*
Choose POST.
URL*
To push data from CrowdStrike into LogScale via HTTP, you don’t need a CrowdStrike-specific URL; you need to generate a LogScale HTTP Ingest URL that accepts events. To do it:
Go to the Settings tab of your repository.
Scroll to Ingest Tokens.
Click Create Token.
Give it a name (e.g.,
crowdstrike-ingest).Choose
structuredif you’re sending JSON data.
Copy the full ingest URL, which will look like this:
https://cloud.us.humio.com/api/v1/ingest/humio-structured/crowdstrike-alerts?token=abcdef1234567890Message
Enter the JSON messages you would like to send to CrowdStrike.
Content-Type
Choose text/plain.
Support special characters, Use gzip, HTTP headers
Set as required.
In the Bulk configuration section, fill in the parameters as follows:
Bulk allow*
Set true.
Delimiter*
Choose Manual delimiter* and leave it as new line (\n).
Maximum number of buffers per server URL*
Set as required.
Event amount*, Event time limit*
These would depend on the length of the messages you want to forward.
Each batch request is restricted to 32 MB for uncompressed payloads and 2 minutes. For optimal performance, batch as many messages as possible within a single HTTP POST request, with a request limit of 32 MB.
Set the Authentication type* to Bearer and click New secret in the Token* field to define a new Secret using the bearer token you created before (see above for help on finding this).
Fill in the rest of the parameters and required, and click Save.
Last updated
Was this helpful?