Ingest
Log data
Existing configuration

Existing ingestion configuration

Ingesting log data is a key step to ensure you parse your log data correctly before that data enters Chronosphere. Which data ingestion methods, and how many, you choose depend on your data sources.

Although Chronosphere recommends using Calyptia to ingest log data, you can use your existing ingestion pipeline to send log data through LogScale to Chronosphere without modifying your current configuration.

CrowdStrike® Falcon LogScale™ supports many common ingestion sources such as FluentD, Beats, OpenTelemetry, and other popular log shippers (opens in a new tab). If a LogScale integration isn't available for your ingestion sources, use the LogScale ingest API (opens in a new tab) to ingest your log data.

To get started with ingesting logs using your existing ingestion configuration:

  1. Create an ingest API token.
  2. Update your existing ingest configuration.

Create an ingest API token

Before ingesting log data, you need to create an API token to authenticate with and ingest data to Chronosphere. See Ingest tokens (opens in a new tab) in the LogScale documentation for more information about creating ingest tokens.

You must have administrative permissions in Chronosphere to complete this task.

  1. In the navigation menu select Explorers > Logs Explorer.
  2. Click Repository settings to open LogScale repository settings in a new tab.
  3. In the LogScale interface, select the repository you want to create an API token for.
  4. In the main LogScale navigation, click Settings.
  5. In the Ingest section of the sidebar navigation, click Ingest tokens.
  6. Click Add token to create a new ingest token.
  7. Enter a name for your token.
  8. Optional: Assign a parser for your token if you want to parse data during ingestion.
  9. Click Save to save your ingest token.
⚠️

Store your ingest API token in a secure location. If you lose your token, you must create a new one.

Use this ingest API token in your existing ingestion configuration to authenticate with and begin sending log data to Chronosphere.

Update your existing ingestion configuration

Chronosphere provides the following ingestion endpoint for log data:

https://ADDRESS.ingest.logs.chronosphere.io/

Replace ADDRESS with your company name prefixed to your Chronosphere instance that ends in ingest.logs.chronosphere.io. For example, MY_COMPANY.ingest.logs.chronosphere.io.

When sending log data to Chronosphere, use this endpoint to construct a complete URL in your existing ingestion configuration. The path portion of the URL depends on the collector you use and the format of your logs.

LogScale API

If you use the LogScale ingest API (opens in a new tab) to ingest log data, the complete url to send logs to Chronosphere is:

https://ADDRESS.ingest.logs.chronosphere.io/api/v1/ingest/humio-structured

The LogScale documentation includes a minimal configuration file example (opens in a new tab) to start collecting log events.

FluentBit

If you use FluentBit, configure the [OUTPUT] section of your configuration file with the following parameters:

[OUTPUT]
  Name   http
  Host   ADDRESS.ingest.logs.chronosphere.io
  Port   443
  Uri    api/v1/ingest/json
  Format json
  Header Authorization Bearer API_TOKEN
  Tls    on
  • Replace ADDRESS with your company name prefixed to your Chronosphere instance that ends in ingest.logs.chronosphere.io. For example, MY_COMPANY.ingest.logs.chronosphere.io.
  • Replace API_TOKEN with the ingest API token you created in LogScale.
Recommended configurationTroubleshooting