Ctrlk
WebsiteBlogLogin
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Collect data from Falcon LogScale

See the changelog of the Falcon LogScale Collector Listener here.

Overview

The following article outlines a basic data flow from Falcon LogScale Collector to the Onum Falcon LogScale Collector Listener.

Prerequisites

  • In most cloud-based Onum installations, the TLS configuration section of the Falcon LogScale Collector Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your Falcon LogScale Collector Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions in this article.

  • You'll need to know your Onum distributor URL, as it will be required in the Falcon LogScale Collector setup. In most cloud-based Onum installations, the Onum distributor URL will be displayed in the Listener details once you create it. Click your Listener in the Listeners area and find it under the Address section. If you cannot see it, contact us and we'll send it to you.

Onum setup

First, you must configure a new Falcon LogScale Collector Listener in Onum:

1

In Onum, go to the Listeners area and click New listener. Select the Falcon LogScale Collector Listener from the list.

2

Enter a Name for the Listener. Optionally, add a Description and some Tags to identify the Listener.

3

For most cloud-based Onum installations, the Socket section is not visible, and port 443 is used by default. If you see it, enter the required port in the Port field. At this time, all TCP ports from 1024 to 10000 are open.

4

Now you need to generate a token that will be used to connect Onum to your Falcon LogScale Collector instance. You can use an online UUID generator tool to get it.

Note that the Falcon LogScale Collector won’t allow for token values that are just numeric.

Back to Onum, go to the Authentication section, click the Select an API Key field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date toggle if not needed. Then, click Add new value and paste the token you generated. Click Save when you're done.

You'll later use this token in the Falcon LogScale Collector configuration.

Learn more about Secrets in this article.

5

Now, select the token you've just created.

6

In most cloud-based Onum installations, the TLS configuration section is not visible. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration.

If you see this section, you must enter the required Certificate, Private key and CA Chain. Learn how to generate these self-signed certificates in this article. Once you have them, click New secret in each field and add the corresponding values.

7

Now there are two possible scenarios:

  • If you didn't enter your TLS certificates, click Create listener and you'll see the Network configuration screen, which shows the Address and Port needed to communicate with Onum. You can also download the certificate in case you need it.

You can access all this information in the Listener details after creation, so don't worry.

  • If you entered the TLS certificates, you'll go directly to the next step to create the Listener labels.

8

Finally, click Create labels. Create any required labels if you need to break down your data and then click Create listener.

Falcon LogScale Collector setup

Now, access your Falcon instance and follow these steps:

1

In the left menu, click Data connectors > Data connections from the left menu, then select the Fleet management tab.

2

Access the relevant Falcon LogScale Collector instance's config and add the following information under the sinks section:

  • The token value you added in the Falcon LogScale Collector Listener setup in Onum. This will go into the token field of the configuration.

  • The Onum URL, with the following format: https:\\<distributorURL:port>.

    • If you are working in a cloud tenant, you will find this URL in the Listener settings under Address. Click your Listener in the Listeners area to access its details.

    • Add the port you entered in the Onum configuration and include it in the url field of the configuration. If you are working in a cloud tenant, you can also see the Port in the Listener settings.

If you cannot get this information, contact the Onum team.

Check below a Falcon LogScale Collector sample config file:

FLC config file
sinks:
  flc-to-onum:
    type: hec
    token: <token>
    # Replace with generated token entered in Onum.
    url: https://<distributorURL:port>
    # Replace with Onum distributor URL & port. Must include the "https://" at the beginning.

If you manually entered the TLS certificates in the Listener configuration, you must add the following tls section at the end of the config file. Enter the path to the CA certificate file you generated before. Add the file in a directory that the Falcon LogScale Collector can read.

 tls: 
  caFile: "<filepath>"
  # Replace with full file path to CA certificate.

If you're using Windows, you need to escape backslashes (\) with an extra backslash in your CA file path.

3

Click Publish > Publish draft to publish your FLC config.

4

Finally, check your the Fleet Management page to verify the FLC status shows as Okay. You may find the status shows Error if, for example, you do not enter the right matching port you chose in Onum.

PreviousCollect data from CloudflareNextCollect data from Google Cloud products

Last updated

Was this helpful?