# Collect data from Falcon LogScale

{% hint style="info" %}
See the changelog of the **Falcon LogScale Collector** Listener [here](/listeners/falcon-logscale-collector-listener.md).
{% endhint %}

## Overview <a href="#overview" id="overview"></a>

The following article outlines a basic data flow from **Falcon LogScale Collector** to the Onum **Falcon LogScale Collector** Listener.

## Prerequisites <a href="#data-sink-configuration" id="data-sink-configuration"></a>

* In most cloud-based Onum installations, the **TLS configuration** section of the **Falcon LogScale Collector** Listener **is not visible** and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your **Falcon LogScale Collector** Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions in [this article](/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation.md).
* You'll need to know your Onum distributor URL, as it will be required in the Falcon LogScale Collector setup. In most cloud-based Onum installations, the Onum distributor URL will be displayed in the Listener details once you create it. Click your Listener in the **Listeners** area and find it under the **Address** section. If you cannot see it, [contact us](https://docs.onum.com/support/) and we'll send it to you.

## Onum setup <a href="#data-sink-configuration" id="data-sink-configuration"></a>

First, you must configure a new **Falcon LogScale Collector** Listener in Onum:

{% stepper %}
{% step %}
In Onum, go to the **Listeners** area and click **New listener**. Select the **Falcon LogScale Collector** Listener from the list.
{% endstep %}

{% step %}
Enter a **Name** for the Listener. Optionally, add a **Description** and some **Tags** to identify the Listener.
{% endstep %}

{% step %}
For most cloud-based Onum installations, the **Socket** section **is not visible**, and port `443` is used by default. If you see it, enter the required port in the **Port** field. At this time, all TCP ports from `1024` to `10000` are open.
{% endstep %}

{% step %}
Now you need to generate a token that will be used to connect Onum to your Falcon LogScale Collector instance. You can use an [online UUID generator tool](https://www.uuidgenerator.net/) to get it.

{% hint style="warning" %}
Note that the Falcon LogScale Collector won’t allow for token values that are just numeric.
{% endhint %}

Back to Onum, go to the **Authentication** section, click the **Select an** **API Key** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the token you generated. Click **Save** when you're done.

You'll later use this token in the Falcon LogScale Collector configuration.

{% hint style="info" %}
Learn more about Secrets in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}
{% endstep %}

{% step %}
Now, select the token you've just created.
{% endstep %}

{% step %}
In most cloud-based Onum installations, the **TLS configuration** section is not visible. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration.

If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain**. Learn how to generate these self-signed certificates in [this article](/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation.md). Once you have them, click **New secret** in each field and add the corresponding values.
{% endstep %}

{% step %}
Now there are two possible scenarios:

* If you didn't enter your TLS certificates, click **Create listener** and you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. You can also download the certificate in case you need it.

{% hint style="info" %}
You can access all this information in the Listener details after creation, so don't worry.
{% endhint %}

* If you entered the TLS certificates, you'll go directly to the next step to create the Listener labels.
  {% endstep %}

{% step %}
Finally, click **Create labels**. Create any required [labels](/the-workspace/listeners/labels.md) if you need to break down your data and then click **Create listener**.
{% endstep %}
{% endstepper %}

## Falcon LogScale Collector setup <a href="#data-sink-configuration" id="data-sink-configuration"></a>

Now, access your Falcon instance and follow these steps:

{% stepper %}
{% step %}
In the left menu, click **Data connectors > Data connections** from the left menu, then select the **Fleet management** tab.
{% endstep %}

{% step %}
Access the relevant Falcon LogScale Collector instance's config and add the following information under the `sinks` section:

* The token value you added in the **Falcon LogScale Collector** Listener setup in Onum. This will go into the `token` field of the configuration.
* The Onum URL, with the following format: `https:\\<distributorURL:port>`.&#x20;
  * If you are working in a cloud tenant, you will find this URL in the Listener settings under **Address**. Click your Listener in the **Listeners** area to access its details.
  * Add the port you entered in the Onum configuration and include it in the `url` field of the configuration. If you are working in a cloud tenant, you can also see the **Port** in the Listener settings.

{% hint style="warning" %}
If you cannot get this information, contact the [Onum team](/support/support.md).
{% endhint %}

Check below a Falcon LogScale Collector sample config file:

{% code title="FLC config file" %}

```yaml
sinks:
  flc-to-onum:
    type: hec
    token: <token>
    # Replace with generated token entered in Onum.
    url: https://<distributorURL:port>
    # Replace with Onum distributor URL & port. Must include the "https://" at the beginning.
```

{% endcode %}

{% hint style="warning" %}
If you manually entered the TLS certificates in the Listener configuration, you must add the following  `tls` section at the end of the config file. Enter the path to the CA certificate file you generated before. Add the file in a directory that the Falcon LogScale Collector can read.

```yaml
 tls: 
  caFile: "<filepath>"
  # Replace with full file path to CA certificate.
```

If you're using Windows, you need to escape backslashes (`\`) with an extra backslash in your CA file path.
{% endhint %}
{% endstep %}

{% step %}
Click **Publish > Publish draft** to publish your FLC config.
{% endstep %}

{% step %}
Finally, check your the **Fleet Management** page to verify the FLC status shows as **Okay**. You may find the status shows **Error** if, for example, you do not enter the right matching port you chose in Onum.
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/listeners/listener-integrations/collect-data-from-falcon-logscale.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.