To get started with Logs, powered by CrowdStrike, you need to complete some configuration tasks within CrowdStrike® Falcon LogScale™. At a minimum, you need to:
- Create a repository withing your LogScale organization.
- Create an ingest token to authenticate with LogScale and ingest data.
Administrators must create an ingest token to authenticate with LogScale. Ingest tokens map to a repository, and not to individual users. Multiple ingest tokens can exist for a single repository.
Optionally, you can create LogScale packages to export and then import repository settings to other repositories, and create views to group events across repositories.
LogScale requires you to select an existing parser or create a customer parser, which creates columns from the raw log data. Parsing ensures faster queries because LogScale uses a schema-on-read approach.
Chronosphere strongly recommends the following actions:
Structure your log data and then use the LogScale JSON parser (opens in a new tab) to pass that data from your ingest source to LogScale.
Parse your data in Calyptia or your current ingest pipeline, and then pass your data to LogScale. Although LogScale requires you to use a parser and link it to your ingest token, keep your parsing logic separate to avoid duplication.
Your data must have a
@timestampfield to be searchable in LogScale. If the parser doesn't assign a
@timestampfield, LogScale assigns the current system time to that field. See Parsing timestamps (opens in a new tab) in the LogScale docs for more information.
Create one or more views to limit data access to specific users. Although optional, views circumvent the limitation of hiding or restricting data access in a repository.
Learn about the Key LogScale concepts before completing the required configuration steps.
Complete the following configuration tasks in LogScale:
To ensure optimal query performance, Chronosphere recommends keeping the number of repositories you create fewer than 100.
Optional: Choose one of the following options to define a custom parser if the stock parsers don't fit your needs:
- Duplicate an existing parser (opens in a new tab) and modify it to fit your needs.
- Search the LogScale package marketplace (opens in a new tab) for a parser that suits your needs.
You can create
ORstatements in a single parser that apply to multiple data types. Use this conditional behavior to handle similar data with minimal variations, such as different timestamp formats where the remainder of the data is the same.
Create an ingest token (opens in a new tab) to authenticate with LogScale and ingest data, and assign a parser.
Optional: Create a view (opens in a new tab) to group specific events from one or more repositories.
Optional: Create a package (opens in a new tab) to make assets reusable across repositories.