WebsiteBlogLogin

Collect data from the Falcon LogScale Collector

Falcon LogScale Collector to Onum

See the changelog of the Falcon LogScale Collector Listener here.

Note that this Listener is only available in certain Tenants. Get in touch with us if you don't see it and want to access it.

Overview

The following article outlines a basic data flow from Falcon LogScale Collector to the Onum Falcon LogScale Collector Listener.

In some environments, where direct access to LogScale is prohibited, it may be necessary to configure the proxy server manually.

The collector attempts to detect the system's proxy automatically. If the collector should use a different proxy than the system's, or instead connect directly, it must be specified in the sink configuration. The proxy option accepts the following keywords: auto, system, and none, but it also accepts a URL specifying the proxy server to use.

Prerequisites

You need to generate your TLS certificates for use in securing the sending of data to Onum. These will be required during the Falcon LogScale Collector Listener configuration and in the Falcon LogScale Collector setup.

Learn how to generate these self-signed certificates in this article.

Falcon LogScale Collector setup

Access your Falcon NG-SIEM instance and follow these steps:

1

In Falcon NG-SIEM, click Data connectors > Data connections from the left menu, then select the Fleet management tab.

2

Choose the required VM in this area and access its configuration.

3

Add the following information:

  • The required token value.

  • The Onum URL, with the following format: distributorURL:port

  • In the TLS section at the end, add the path to the required CA certificate file. Add the file in a directory that the Falcon LogScale Collector can read.

If you're using Windows, you need to escape backslashes (\) with an extra backslash in your CA file path.

Onum setup

1

In Onum, go to the Listeners area and click New listener. Select the Falcon LogScale Collector Listener from the list.

2

Enter a Name for the Listener. Optionally, add a Description and some Tags to identify the Listener.

3

Then, enter the Port we're going to listen to.

4

In the Authentication section, click the Select an API Key field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date option. Then, click Add new value and paste the required value from your Falcon LogScale Collector. Click Save when you're done.

Learn more about Secrets in this article.

5

Now, select the token used to receive in the Token field.

6

In the TLS configuration section, you must enter the required Certificate, Private key and CA Chain. See above how to create them. Once you have them, click New secret in each field and add the corresponding values.

7

Finally, click Create labels. Create any required labels if you need to break down your data and then click Create listener.

PreviousCollect data from Apache KafkaNextCollect data using HTTP

Last updated

Was this helpful?