Collect data from Falcon LogScale
Falcon LogScale Collector to Onum
Note that this Listener is only available in certain Tenants. Get in touch with us if you don't see it and want to access it.
Overview
The following article outlines a basic data flow from Falcon LogScale Collector to the Onum Falcon LogScale Collector Listener.
In some environments, where direct access to LogScale is prohibited, it may be necessary to configure the proxy server manually.
The collector attempts to detect the system's proxy automatically. If the collector should use a different proxy than the system's, or instead connect directly, it must be specified in the sink configuration. The proxy option accepts the following keywords: auto, system, and none, but it also accepts a URL specifying the proxy server to use.
Prerequisites
You need to generate your TLS certificates for use in securing the sending of data to Onum. These will be required during the Falcon LogScale Collector Listener configuration and in the Falcon LogScale Collector setup. Learn how to generate these self-signed certificates in this article.
You'll need to know your Onum distributor URL, as it will be required in the Falcon LogScale Collector setup. Contact us and we'll send it to you.
Onum setup
First, you must configure a new Falcon LogScale Collector Listener in Onum:
In Onum, go to the Listeners area and click New listener. Select the Falcon LogScale Collector Listener from the list.
Enter a Name for the Listener. Optionally, add a Description and some Tags to identify the Listener.
Then, enter the Port we're going to listen to. At this time, all TCP ports from 1024 to 10000 are open.
Now you need to generate a token that will be used to connect Onum to your Falcon LogScale Collector instance. You can use an online UUID generator tool to get it.
Note that the Falcon LogScale Collector won’t allow for token values that are just numeric.
Back to Onum, go to the Authentication section, click the Select an API Key field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date toggle if not needed. Then, click Add new value and paste the token you generated. Click Save when you're done.
You'll later use this token in the Falcon LogScale Collector configuration.
Now, select the token you've just created.
In the TLS configuration section, you must enter the required Certificate, Private key and CA Chain. Learn how to generate these self-signed certificates in this article. Once you have them, click New secret in each field and add the corresponding values.
Finally, click Create labels. Create any required labels if you need to break down your data and then click Create listener.
Falcon LogScale Collector setup
Now, access your Falcon NG-SIEM instance and follow these steps:
In Falcon NG-SIEM, click Data connectors > Data connections from the left menu, then select the Fleet management tab.
Access the relevant Falcon LogScale Collector instance's config and add the following information:
The token value you added in the Falcon LogScale Collector Listener setup in Onum. This will go into the
tokenfield of the configuration.The Onum URL, with the following format:
distributorURL:port. You must get your distributor URL from the Onum team, as it is not shown in the platform. Add the port you entered in the Onum configuration and include it in theurlfield of the configuration.In the
tlssection at the end, add the path to the CA certificate file you generated before. Add the file in a directory that the Falcon LogScale Collector can read.
Check below a Falcon LogScale Collector sample config file:
flc-to-onum:
type: hec
# Replace with generated token entered in Onum.
token: <token>
# Replace with Onum distributor URL & port. Must include the "https://" at the beginning.
url: <distributorURL:port>
tls:
# Replace with full file path to CA certificate
caFile: "<filepath>"If you're using Windows, you need to escape backslashes (\) with an extra backslash in your CA file path.
Click Publish > Publish draft to publish your FLC config.
Finally, check your the Fleet Management page to verify the FLC status shows as Okay. You may find the status shows Error if, for example, you dod not enter the right matching port you chose in Onum.
Last updated
Was this helpful?