Ingest
Logs
Existing configuration

Existing ingestion configuration

Ingesting log data is a key step to ensure you parse your log data correctly before that data enters Chronosphere Observability Platform. Which data ingestion methods, and how many, you choose depend on your data sources.

Although Chronosphere recommends using Telemetry Pipeline to ingest log data, you can use your existing ingestion pipeline to send log data through LogScale to Observability Platform without modifying your current configuration.

CrowdStrike® Falcon LogScale™ supports many common ingestion sources such as FluentD, Beats, OpenTelemetry, and other popular log shippers (opens in a new tab). If a LogScale integration isn't available for your ingestion sources, use the LogScale ingest API (opens in a new tab) to ingest your log data.

To get started with ingesting logs using your existing ingestion configuration:

  1. Create an ingest API token.
  2. Update your existing ingest configuration.

Create an ingest API token

Before ingesting log data, you need to create an API token to authenticate with and ingest data to Observability Platform. See Ingest tokens (opens in a new tab) in the LogScale documentation for more information about creating ingest tokens.

To create an ingest API token, you must have administrative permissions.

  1. In the navigation menu select Explorers > Logs Explorer.
  2. Click Repository settings to open LogScale repository settings in a new tab.
  3. In the LogScale interface, select the repository you want to create an API token for.
  4. In the main LogScale navigation, click Settings.
  5. In the Ingest section of the sidebar navigation, click Ingest tokens.
  6. Click Add token to create a new ingest token.
  7. Enter a name for your token.
  8. Optional: Assign a parser for your token if you want to parse data during ingestion.
  9. Click Save to save your ingest token.
⚠️

Store your ingest API token in a secure location. If you lose your token, you must create a new one.

Use this ingest API token in your existing ingestion configuration to authenticate with and begin sending log data to Observability Platform.

Update your existing ingestion configuration

Chronosphere provides the following ingestion endpoint for log data:

https://ADDRESS.ingest.logs.chronosphere.io/

Replace ADDRESS with your company name prefixed to your Observability Platform instance that ends in ingest.logs.chronosphere.io. For example, MY_COMPANY.ingest.logs.chronosphere.io.

When sending log data to Observability Platform, use this endpoint to construct a complete URL in your existing ingestion configuration. The path portion of the URL depends on the collector you use and the format of your logs.

LogScale API

If you use the LogScale ingest API (opens in a new tab) to ingest log data, the complete url to send logs to Observability Platform is:

https://ADDRESS.ingest.logs.chronosphere.io/api/v1/ingest/humio-structured

The LogScale documentation includes a minimal configuration file example (opens in a new tab) to start collecting log events.

Fluent Bit

If you use Fluent Bit, configure the output section of your configuration file with the following parameters:

pipeline:
    outputs:
        - name: http
          match: '*'
          host: ADDRESS.ingest.logs.chronosphere.io
          port: "443"
          uri: api/v1/ingest/json
          format: json
          header:
            - Authorization Bearer API_TOKEN
          tls: on
  • Replace ADDRESS with your company name prefixed to your Observability Platform instance that ends in ingest.logs.chronosphere.io. For example, MY_COMPANY.ingest.logs.chronosphere.io.
  • Replace API_TOKEN with the ingest API token you created in LogScale.
Recommended configurationData limits