Edge Delta CrowdStrike Falcon LogScale Destination

Send logs to CrowdStrike Falcon LogScale.

6 minute read

Overview

The CrowdStrike Falcon LogScale Destination node sends logs to a CrowdStrike Falcon LogScale destination.

incoming_data_types: cluster_pattern_and_sample, log, custom

Configuring CrowdStrike Falcon LogScale

To use this output, ensure you have a valid LogScale token and endpoint for data ingestion.

Example Configuration

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: crowdstrike_falcon_logscale_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

token

The token for accessing LogScale via its API. It is written as a string. It is used with the endpoint parameter and is required.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec

endpoint

The endpoint parameter defines the HTTP stream endpoint. It is specified as a string and is required.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec

request_format

The request_format parameter defines the format that requests take. You specify either raw or json however, it must match the endpoint type. For example, for endpoints with “/api/v1/ingest/hec” or “/services/collector” suffixes, the request_format should be JSON, whereas for endpoints with “/api/v1/ingest/hec/raw” or “/services/collector/raw” suffixes, it should be raw. It is required.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json|raw
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec

Optional Parameters

buffer_max_bytesize

The buffer_max_bytesize parameter configures the maximum byte size for total unsuccessful items. If the limit is reached, the remaining items are discarded until the buffer space becomes available. It is specified as a datasize.Size, has a default of 0 indicating no size limit, and it is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    buffer_max_bytesize: 2048

buffer_path

The buffer_path parameter configures the path to store unsuccessful items. Unsuccessful items are stored there to be retried back (exactly once delivery). It is specified as a string and it is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    buffer_path: <path to unsuccessful items folder>

buffer_ttl

The buffer_ttl parameter configures the time-to-Live for unsuccessful items, which indicates when to discard them. It is specified as a duration, has a default of 15m, and it is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    buffer_ttl: 20m

tls

The tls parameter is a dictionary type that enables a number of options to be set using sub-parameters. It is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
        <tls options>:

ca_file The ca_file parameter is a child of the tls parameter. It specifies the CA certificate file. It is specified as a string and is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      ca_file: /certs/ca.pem

ca_path The ca_path parameter is a child of the tls parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      ca_path: /var/etc/kafka

client_auth_type The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.

The following authentication methods are available:

noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      client_auth_type: <auth type>

crt_file The crt_file parameter is a child of the tls parameter. It specifies the certificate file. It is specified as a string and is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      crt_file: /certs/server-cert.pem

ignore_certificate_check The ignore_certificate_check parameter is a child of the tls parameter. When set to true, it ignores certificate checks for the remote endpoint. It is specified as a Boolean value and the default is false, indicating that TLS verification will be performed. This is an optional parameter.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      ignore_certificate_check: true

key_file The key_file parameter is a child of the tls parameter. It specifies the key file. It is specified as a string and is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      key_file: /certs/server-key.pem

key_password The key_password parameter is a child of the tls parameter. It specifies the key password. When the private key_file location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      key_password: <password>

max_version The max_version parameter is a child of the tls parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.

You can select one of the following options:

TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      max_version: <TLS version>

min_version The min_version parameter is a child of the tls parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.

You can select one of the following options:

TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3

nodes:
  - name: logscale
    type: crowdstrike_falcon_logscale_output
    request_format: json
    token: some-token
    endpoint: https://cloud.us.humio.com:443/api/v1/ingest/hec
    tls:
      min_version: <TLS version>