Skip to content

FLC Basic Setup with Fleet Management

Jump to bottom
nlabadie-crwd edited this page Nov 26, 2024 · 6 revisions

Summary

This is a simplified set of instructions for installing Falcon LogScale Collector with Fleet Management, which is used to send data to Next-Gen SIEM. Fleet Management allows for centralized management of FLC within the Next-Gen SIEM interface. The resulting config in this example will enable a syslog listener on port 1514.

Instructions

Download FLC

  1. In the Falcon Console: Menu → Support and resources → Tools downloads
  2. Search for the latest “LogScale Collector for Platform” on the page, e.g. LogScale Collector For Windows - X64, v1.7.2. Sort by the file name to find the latest version.
  3. Download the file and copy it to the host where it should be installed.

Install FLC

Follow the custom install instructions. All you’ll be doing is installing the binaries. The configuration file will be generated at a later step. Quick examples:

// Windows
Just double-click the installer and run it.
 
// Ubuntu
sudo dpkg -i humio-log-collector_1.7.1_linux_amd64
 
// Redhat
sudo rpm -i humio-log-collector_1.7.1_linux_amd64

Configure the HEC Connector

  1. In the Falcon Console: Menu → Next-Gen SIEM → Data onboarding
  2. Click on the tile for HEC / HTTP Event Collector
  3. Give the data source a name, choose JSON as the data type, give the connector a name, select the parser to use, check the box, and click Save.
  4. Close the pop-up and reload the page.
  5. Click Generate API key in the upper-right corner.
  6. Copy the API key and API URL and save it to a text file. Use the copy button in the UI.
// Example values from the UI
API key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
API URL: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com/services/collector

! IMPORTANT !

Remove /services/collector from the end of the URL when saving the value. For example:

https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com/services/collector

Becomes:

https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Z.crowdstrike.com

The /services/collector path must be removed from the end of the URL when using the value in the config.

Configure Fleet Management in NG-SIEM

  1. In the Falcon Console: Menu → Next-Gen SIEM → Data onboarding → Fleet Management → Config overview.
  2. Click on + New config near the upper-right corner.
  3. Input Basic Syslog Collector Config as the config name, use Empty config, and then click Create new.
  4. Delete the existing template under Draft editor.
  5. Open this link in a new browser tab. Copy the text from the link, and paste it into the Draft editor section where you just deleted the text.
  6. In the draft editor, overwrite the token and url values with the values from the HEC Collector in the previous steps.
  7. Click Publish and then Publish draft in the pop-up.
  8. Click the Enrollment tokens tab after the config has been published, followed by + New token near the upper-right corner.
  9. Input Basic Syslog Collector Token as the Token name, and Basic Syslog Collector Config as the Assigned config. Next click Create token.
  10. On the Enrollment tokens page, click the eye icon for the Basic Syslog Collector Token that you just created. You will be presented with a list of commands for Windows, Linux, and MacOS. Keep this open for the next steps.

Enroll FLC

These commands will be run on the host where you installed FLC. Use the command specific to your OS. Examples:

// Windows
// Run this from PowerShell or cmd.exe as administrator. 
"C:\Program Files (x86)\CrowdStrike\Humio Log Collector\humio-log-collector.exe" enroll XXXXXXXXXXXXXXXX

// Linux
sudo humio-log-collector enroll XXXXXXXXXXXXXXXX

// MacOS
sudo logscale-collector enroll XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

You should see a message about the collector being successfully enrolled and restarted after the command is run. The host should appear in the Fleet overview tab under the Fleet management tab.

Next Steps

Syslog events sent to port 1514 on the host running FLC should be visible in Event Search in Next-Gen SIEM. The config can now be modified and published directly from NG-SIEM.

Debugging

You can run humio-log-collector in debug mode to determine why something might not be working.

// Windows
// Open services.msc and stop "Humio Log Collector"
// Open cmd.exe or PowerShell as administrator
// cd to C:\Program Files (x86)\CrowdStrike\Humio Log Collector\
// Run the following command:
// humio-log-collector.exe --cfg config.yaml --log-level debug --log-pretty
// Hit crtl+c stop
// Open services.msc and start "Humio Log Collector"
 
// Linux
sudo systemctl stop humio-log-collector
sudo -u humio-log-collector humio-log-collector --cfg /etc/humio-log-collector/config.yaml --log-level debug --log-pretty
// Hit crtl+c stop
sudo systemctl restart humio-log-collector
Clone this wiki locally