Existing ingestion configuration
Ingesting log data is a key step to ensure you parse your log data correctly before that data enters Chronosphere. Which data ingestion methods, and how many, you choose depend on your data sources.
Although Chronosphere recommends using Calyptia to ingest log data, you can use your existing ingestion pipeline to send log data through LogScale to Chronosphere without modifying your current configuration.
CrowdStrike® Falcon LogScale™ supports many common ingestion sources such as FluentD, Beats, OpenTelemetry, and other popular log shippers (opens in a new tab). If a LogScale integration isn't available for your ingestion sources, use the LogScale ingest API (opens in a new tab) to ingest your log data.
To get started with ingesting logs using your existing ingestion configuration:
Create an ingest API token
Before ingesting log data, you need to create an API token to authenticate with and ingest data to Chronosphere. See Ingest tokens (opens in a new tab) in the LogScale documentation for more information about creating ingest tokens.
You must have administrative permissions in Chronosphere to complete this task.
- In the navigation menu select Explorers > Logs Explorer.
- Click Repository settings to open LogScale repository settings in a new tab.
- In the LogScale interface, select the repository you want to create an API token for.
- In the main LogScale navigation, click Settings.
- In the Ingest section of the sidebar navigation, click Ingest tokens.
- Click Add token to create a new ingest token.
- Enter a name for your token.
- Optional: Assign a parser for your token if you want to parse data during ingestion.
- Click Save to save your ingest token.
Store your ingest API token in a secure location. If you lose your token, you must create a new one.
Use this ingest API token in your existing ingestion configuration to authenticate with and begin sending log data to Chronosphere.
Update your existing ingestion configuration
Chronosphere provides the following ingestion endpoint for log data:
https://ADDRESS.ingest.logs.chronosphere.io/
Replace ADDRESS
with your company name prefixed to your Chronosphere instance
that ends in ingest.logs.chronosphere.io
. For example,
MY_COMPANY
.ingest.logs.chronosphere.io
.
When sending log data to Chronosphere, use this endpoint to construct a complete URL in your existing ingestion configuration. The path portion of the URL depends on the collector you use and the format of your logs.
LogScale API
If you use the
LogScale ingest API (opens in a new tab)
to ingest log data, the complete url
to send logs to Chronosphere is:
https://ADDRESS.ingest.logs.chronosphere.io/api/v1/ingest/humio-structured
The LogScale documentation includes a minimal configuration file example (opens in a new tab) to start collecting log events.
FluentBit
If you use FluentBit, configure the [OUTPUT]
section of your configuration file
with the following parameters:
[OUTPUT]
Name http
Host ADDRESS.ingest.logs.chronosphere.io
Port 443
Uri api/v1/ingest/json
Format json
Header Authorization Bearer API_TOKEN
Tls on
- Replace
ADDRESS
with your company name prefixed to your Chronosphere instance that ends iningest.logs.chronosphere.io
. For example,MY_COMPANY
.ingest.logs.chronosphere.io
. - Replace
API_TOKEN
with the ingest API token you created in LogScale.