This is a simplified set of instructions for installing Falcon LogScale Collector with Fleet Management using the "1-line" install method, which is used to send data to Next-Gen SIEM. Fleet Management allows for centralized management of FLC within the Next-Gen SIEM interface. The resulting config in this example will enable a syslog listener on port 1514.

1. In the Falcon Console: Menu → Next-Gen SIEM → Data onboarding
2. Click on the + Add connection button
3. On the data connectors page click Filter by Connector name
4. Click the HEC / HTTP Event Connector result, then Configure on the far right
5. Give the data source a name, choose JSON as the data type, fill in a connector name, select the parser to use, toggle host and user enrichment, check the terms and conditions checkbox, and click Save
6. Close the pop-up and reload the page.
7. Click Generate API key in the upper-right
8. Save the API key and API URL somewhere safe

1. In the Falcon Console: Menu → Next-Gen SIEM → Data onboarding → Fleet Management → Config overview.
2. Click on + New config near the upper-right corner.
3. Input Basic Syslog Config as the config name, use Empty config, and then click Create new.
4. Delete the existing template under Draft editor.
5. Open this link in a new browser tab. Copy the text from the link, and paste it into the Draft editor section where you just deleted the text.
6. In the draft editor, overwrite the token and url values with the values from the HEC Collector in the previous steps.
7. Click Publish button just above the config code block.
8. Click the Enrollment tokens tab after the config has been published, followed by + New token near the upper-right corner.
9. Input Basic Syslog Token as the Token name, and Basic Syslog Config as the Assigned config. Next click Create token.
10. On the Enrollment tokens page, click the eye icon for the Basic Syslog Token that you just created. You will be presented with a list of commands for Windows, Linux, and MacOS. Keep this open for the next steps.

1. Click the Fleet Overview tab on top of the window.
2. Click Get LogScale Collector button in the top right of the pane.
3. Use the radio button to select if you wish to install on either macOS/linux or windows
4. Select the token name you generated above (Basic Syslog Token).

1. Copy the command displayed
2. Paste within a terminal (or SSH) window

Notes:

• The install may take some time to download and install the package. Just be patient.
• The user account MUST have sudo access on the system.
• The system must have curl installed and requires a bash shell.
• The system must be able to access the Fleet Management API via TCP 443.

The collector should be installed once the command prompt returns. There should be a debug message that ends with the following, as the last line above the command prompt "message":"Bootstrap complete"} The host should appear in the Fleet overview tab under the Fleet management tab.

1. Copy the command displayed
2. Open a Powershell command window, with Administrative capabilities a. This can be done via using the search bar for "Powershell" then clicking "Run as Administrator"
3. Paste the command in the Powershell window.

Notes:

• The install may take some time to download and install the package. Just be patient.
• The powershell window MUST have administrative rights.
• The system must be able to access the Fleet Management API via TCP 443.

The collector should be installed once the command prompt returns. There should be a debug message that ends with the following, as the last line above the command prompt "message":"Bootstrap complete"} The host should appear in the Fleet overview tab under the Fleet management tab.

Syslog events sent to port 1514 on the host running FLC should be visible in Event Search in Next-Gen SIEM. The config can now be modified and published directly from NG-SIEM.

One way to test is to use the logger command. Here is an example command:

logger -n localhost -P 1514 "my test message via logger 20250601-0800 - uniquestringtosearch"

You can run the Falcon LogScale collector in debug mode to determine why something might not be working.

1. Open services.msc and stop "LogScale Collector"
2. Open cmd.exe or PowerShell as administrator
3. Change directories with the following command: cd C:\Program Files\LogScale Collector\
4. Run the following command: "LogScale Collector.exe" --cfg config.yaml --log-level debug --log-pretty
5. Hit <crtl>+<c> to stop when complete
6. Open services.msc and start "LogScale Collector"

1. sudo systemctl stop logscale-collector
2. sudo -u logscale-collector logscale-collector --cfg /etc/logscale-collector/config.yaml --log-level debug --log-pretty
3. Hit <crtl>+<c> to stop when complete
4. sudo systemctl restart logscale-collector