Configure LogScale

To get started with Logs, you need to complete some configuration tasks within CrowdStrike® Falcon LogScale™. At a minimum, you need to:

• Create a repository within your LogScale organization.
• Create an ingest token to authenticate with LogScale and ingest data.

Administrators must create an ingest token to authenticate with LogScale. Ingest tokens map to a repository, and not to individual users. Multiple ingest tokens can exist for a single repository.

Optionally, you can create LogScale packages to export and then import repository settings to other repositories, and create views to group events across repositories.

LogScale requires you to select an existing parser or create a customer parser, which creates columns from the raw log data. Parsing ensures faster queries because LogScale uses a schema-on-read approach.

Recommendations

Chronosphere strongly recommends the following actions:

• Structure your log data and then use the LogScale JSON parser (opens in a new tab) to pass that data from your ingest source to LogScale.

• Parse your data in Calyptia or your current ingest pipeline, and then pass your data to LogScale. Although LogScale requires you to use a parser and link it to your ingest token, keep your parsing logic separate to avoid duplication.

  Your data must have a @timestamp field to be searchable in LogScale. If the parser doesn't assign a @timestamp field, LogScale assigns the current system time to that field. See Parsing timestamps (opens in a new tab) in the LogScale docs for more information.

• Create one or more views to limit data access to specific users. Although optional, views circumvent the limitation of hiding or restricting data access in a repository.

Prerequisites

Learn about the Key LogScale concepts before completing the required configuration steps.

LogScale configuration steps

Complete the following configuration tasks in LogScale:

1. In your LogScale organization, create a repository (opens in a new tab). See repository settings (opens in a new tab) for more information.

   To ensure optimal query performance, Chronosphere recommends keeping the number of repositories you create fewer than 100.

2. Optional: Choose one of the following options to define a custom parser if the stock parsers don't fit your needs:

   • Duplicate an existing parser (opens in a new tab) and modify it to fit your needs.
   • Search the LogScale package marketplace (opens in a new tab) for a parser that suits your needs.
   You can create OR statements in a single parser that apply to multiple data types. Use this conditional behavior to handle similar data with minimal variations, such as different timestamp formats where the remainder of the data is the same.

3. Create an ingest token (opens in a new tab) to authenticate with LogScale and ingest data, and assign a parser.

4. Optional: Create a view (opens in a new tab) to group specific events from one or more repositories.

5. Optional: Create a package (opens in a new tab) to make assets reusable across repositories.