Summary

This is a simplified set of instructions for installing Falcon LogScale Collector, which is used to send data to Next-Gen SIEM. The resulting config will enable a syslog listener on port 1514.

Instructions

Download FLC

1. In the Falcon Console: Menu → Support and resources → Tools downloads
2. Search for the latest “LogScale Collector for Platform” on the page, e.g. LogScale Collector For Windows - X64, v1.7.2. Sort by the file name to find the latest version.
3. Download the file and copy it to the host where it should be installed.

Install FLC

Follow the custom install instructions. All you’ll be doing is installing the binaries. The configuration file will be generated at a later step. Quick examples:

// Windows
Just double-click the installer and run it.
 
// Ubuntu
sudo dpkg -i humio-log-collector_1.7.1_linux_amd64
 
// Redhat
sudo rpm -i humio-log-collector_1.7.1_linux_amd64

Configure the HEC Connector

1. In the Falcon Console: Menu → Next-Gen SIEM → Data onboarding
2. Click on the tile for HEC / HTTP Event Collector
3. Give the data source a name, choose JSON as the data type, give the connector a name, select the parser to use, check the box, and click Save.
4. Close the pop-up and reload the page.
5. Click Generate API key in the upper-right corner.
6. Copy the API key and API URL and save it to a text file. Use the copy button in the UI.

// Example values from the UI
API key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
API URL: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com/services/collector

! IMPORTANT !

Remove /services/collector from the end of the URL when saving the value. For example:

https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com/services/collector

Becomes:

https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com

The /services/collector path must be removed from the end of the URL when using the value in the config.

Configure FLC

1. Download the FLC configuration file. That link is on GitHub so you can share it with the customer.
2. Save the file as config.yaml and open it in an text editor, e.g. vim or notepad. Do not use something like Microsoft Word.
3. At the bottom of the file, replace the token: value with the API key value from the previous steps.

You end up with something like this:

token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com

Save the file as config.yaml and copy it over to the host running FLC. You can overwrite the exiting file.

// Windows
// Open explorer in this directory: 
// C:\Program Files (x86)\CrowdStrike\Humio Log Collector\
// Rename the existing config.yaml file to config.yaml.bak
// Copy the previous config.yaml file to the C:\Program Files (x86)\CrowdStrike\Humio Log Collector\ directory.  
 
// Linux
sudo mv /etc/humio-log/collector/config.yaml /etc/humio-log/collector/config.yaml.bak
sudo cp config.yaml /etc/humio-log-collector/

Restart FLC

You'll next need to restart FLC to use the configuration you just created.

// Windows
Open services.msc and restart "Humio Log Collector"
 
// Linux
sudo systemctl restart humio-log-collector.service
sudo systemctl enable humio-log-collector.service

Next Steps

Syslog events sent to port 1514 on the host running FLC should be visible in Event Search in Next-Gen SIEM.

Debugging

You can run humio-log-collector in debug mode to determine why something might not be working.

// Windows
// Open services.msc and stop "Humio Log Collector"
// Open cmd.exe or PowerShell as administrator
// cd to C:\Program Files (x86)\CrowdStrike\Humio Log Collector\
// Run the following command:
// humio-log-collector.exe --cfg config.yaml --log-level debug --log-pretty
// Hit crtl+c stop
// Open services.msc and start "Humio Log Collector"
 
// Linux
sudo systemctl stop humio-log-collector
sudo -u humio-log-collector humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level debug --log-pretty
// Hit crtl+c stop
sudo systemctl restart humio-log-collector