CrowdStrike Falcon LogScale, formerly known as Humio, is a centralized log management technology that allows organizations to make data-driven decisions about the performance, security and resiliency of their IT environment. As the most scalable log management platform on the planet, Falcon LogScale enhances observability for all log and event data by making it fast and easy to explore critical log information, eliminate blind spots and find the root cause of any incident. Falcon LogScale gives IT organizations a single platform that can store, analyze and retain all log and events data at petabyte scale. Falcon LogScale minimizes the computing and storage resources required to ingest, search, transform and retain log data. As a result, Falcon LogScale offers a lower total cost of ownership than legacy platforms, while delivering the power and speed needed in today’s complex IT infrastructures.
CrowdStrike Falcon® LogScale FAQ
Learn how a centralized log management technology enhances observability across your organization.
Falcon LogScale helps you gain valuable insights with a powerful, flexible and intuitive platform that delivers live observability across distributed systems. The technology aggregates streaming data in real time, with hybrid options that allow you to choose where the ingested data resides. And Falcon LogScale’s innovative index-free architecture resolves data storage challenges by compressing data by an average of 15x.
With Falcon LogScale, you can:
- Aggregate, ingest and analyze massive volumes of streaming log data from a wide array of sources.
- Increase data fidelity and cardinality by storing data in a central location, which enables systemwide analysis to identify correlated events.
- Efficiently query log data with sub-second latency, making it easier and more cost effective to manage data at scale.
- Achieve industry-leading data compression rates with minimal strain on computation resources.
- Perform full-fidelity investigations and confidently uncover the full extent of cyberattacks.
- Create configurable, shared dashboards that make it easy for IT teams to visualize and analyze complex systems.
- Examine both application-layer data and infrastructure-level information for complete observability across all microservices.
- Collate events both upstream and downstream to gain insights and prevent issues.
Falcon LogScale is purpose-built for the scale of today’s data volumes. Traditional logging solutions manage logging like a general-purpose database, using indexing processes that require additional computational and hardware resources on top of the storage of log data itself. Because of this outdated architecture and antiquated licensing designed for smaller ingestion limits, traditional log management vendors require users to limit access to data as well as filter what type of logs has the highest value to monitor. Falcon LogScale changes how organizations use log data by making it easy and affordable to log everything and answer anything, all in real time.
Data is growing exponentially and traditional log management solutions lack the technology or accessibility required to meet the needs of modern IT. Legacy solutions treat logging like a general-purpose database by organizing and searching datasets using outdated indexing techniques. This consumes excessive CPU and memory resources, which adds hardware expenses. It also introduces delays in both ingestion and search, slowing the time it takes to get results, inhibiting investigations and creating additional risk and cost.
What organizations often lack is true observability. Logs, a critical component of a modern data fabric, are fundamental for diagnosing system health and launching investigations. But IT teams experienced with traditional log management solutions know the challenges of managing logs from distributed and legacy systems. These can include:
- Exorbitant costs associated with logging high data volumes
- Slow search speeds that hamper investigations
Falcon LogScale was developed with a simple goal: make it simple and cost effective to look at logs, begin to ask questions and dig deeper by searching for errors or filtering by certain parameters.
To make this possible, Falcon LogScale used these principles:
- Create an easy way to ingest and manage massive amounts of logs and troubleshoot with an easy-to-use query language
- Build a system that makes it cost effective to retain log data for future reference and allow users to absorb large spikes in incoming data
- Provide configurable, shared dashboards that make it easy for teams to visualize data, carry out investigations and collaborate
- Deliver interactive ways for users to discover and explore their data
- Keep everything simple yet powerful
Falcon LogScale enables organizations to understand large amounts of computer-generated data, instantly pinpoint availability concerns and identify security threats in any complex computing environment. It is a uniquely powerful tool for enterprises that ingests multiple terabytes of data per day with ease. It can be thought of as a powerhouse for logs.
New requirements and responsive support requests have created a new development velocity. Businesses require higher-speed development and continuous deployment of applications and solutions. Full observability of all relevant data is critical for enabling successful deployments with fewer user interruptions and no system vulnerabilities.
Digital transformation has changed the way applications are developed and deployed. Today’s applications and systems are highly dynamic, leveraging new container and cloud technologies that enable high-speed development and continuous delivery of new services. Falcon LogScale makes it possible for DevOps, SecOps and ITOps teams to send and receive instant visibility to all relevant log data in one solution — available in flexible hybrid deployment options. By democratizing logging with an intuitive interface and easy-to-use query language, users can observe and interact with their entire system.
The need for instant access to real-time insights from large volumes of log data has never been greater. Falcon LogScale gives users a time-series database engine that is optimized to instantly ingest and aggregate a large range of log data volumes. To understand an organization’s systems, it takes real-time ingestion of terabytes of data for further analysis, visualization and retention. With the power that Falcon LogScale provides, unlimited logging becomes a valuable solution for incident management, troubleshooting and audit scenarios.
Yes. In general, Falcon LogScale can manage about 1 TB of ingest log volume/day on a single node. If you're over this volume, we can provide dedicated engineering support to assist in the install, test and production setup of a clustered version. Contact us to set up a trial.
You can download Falcon LogScale Community Edition at Getting started.
Falcon LogScale is a flexible log management solution. We offer flexible options enabling user autonomy to choose where they want ingested data to reside. Consider what works best for your application and organization and we are happy to help you find the setup to best suit your needs.
Yes. Moving to Falcon LogScale is easy! We have several common integrations to bring your logs into Falcon LogScale, and we even have a guide on moving from Elastic Stack to Falcon LogScale - it’s as easy as following a few steps to getting your logs flowing.
For more information, see Looking for an Alternative to Splunk, Elasticsearch, Sumo Logic, or Datadog?
While this list is not exhaustive, Falcon LogScale recommends Beats, Logstash, or Rsyslog for shipping your logs. We can take advantage of other solutions, but these are the most common we’ve experienced.
Yes. Falcon LogScale integrates with several common notification methods including email, Slack and external services like OpsGenie. If you need Falcon LogScale to work with your particular notification system, please contact our support team.
There are multiple benefits to using compression in Falcon LogScale.
- Data takes up less disk space.
- Reading data faster from disk. Keeping data compressed while reading it from disk into RAM. For example, a disk having a read speed of 1 gigabyte per second, will allow Falcon LogScale to read 10 gigabytes per second into RAM with a compression factor of 10. This is also why we see that Falcon LogScale searches faster than what is possible looking at the read speed of the available disks.
- Read data faster from RAM into the CPU. By keeping data compressed we better utilize the bandwidth between RAM and CPU. Falcon LogScale strives to keep data compressed as close to the CPU as possible. Then decompress the data in the CPU caches and search the data.
The tradeoff is that the CPU needs to spend work decompressing data. Falcon LogScale uses a compression algorithm that is very fast at decompressing data (LZ4). That is why there are many benefits to using compressing.
Falcon LogScale can even be configured to use a compression algorithm that will compress data even better (ZFS compression). Which compression to use is then a choice, as more CPU resources are needed to decompress. This should be chosen according to the available data size in the cluster and the ratio between disks and CPU resources in the cluster. With better compression, you can read data from disks faster, but you need to spend more CPU time decompressing.
Falcon LogScale provides flexible retention policies, including licenses for 30, 60, 90, 180 and 365 days of retention. Other retention options are available.
Easily understanding machine data and quickly investigating with deeper insights is critical in managing systems and preventing interruptions. The increase of interconnected data across complex, distributed systems has driven developers to rethink cloud and global IT strategies and also reset traditional development and DevOps workflows. Falcon LogScale enables organizations to understand large amounts of data, instantly pinpoint availability concerns and identify vulnerabilities in any complex computing environment. Falcon LogScale ingests and aggregates log data or records of activities that occur in applications, both web and desktop, servers and devices.
Viewing the health and stability of entire systems is more imperative than ever. DevOps teams need live observability of all data — both structured and unstructured — from all sources to understand, visualize and analyze the systems they run.
Falcon LogScale allows teams to monitor for health checks run against internal and external applications and systems.
Log data helps provide contextual information about events and allows users to explore and identify vulnerabilities and issues in the code.
The movements towards DevOps, microservices and containers makes it harder for teams to observe and interact easily with modern complex systems. Existing SIEM solutions often fall short when identifying threats and anomalies. Developers, security teams and operations managers are responsible for the services they run. They require a solution that gives them a simple way to have instant access to the state of their applications, services, servers, devices and more, all in real-time.
Understanding all data and the relationships between them is critical in managing systems and preventing security incidents. The amount of data customers need to consider is growing exponentially, which makes it increasingly important for them to have complete visibility to all of that data.
While other solutions continue to limit access to customer’s data through pre-determined views or limits set to just samples of data, Falcon LogScale enables users to log everything and answer anything, in real time. Falcon LogScale unlocks the ability to log limitlessly without adding complexity. Falcon LogScale’s transformative site license removes logging constraints and shifts the organizational culture to improve cybersecurity, privacy and business resilience. By removing obstacles to give customers autonomy, Falcon LogScale enables users to determine their logging practices without concerns for restrictive technological, hardware, or financial resources.
As systems become more complex, more surfaces reveal themselves to hackers looking to steal data or inject malware into environments that may ultimately bring organizations down. Falcon LogScale enables enterprises to achieve an aggregated view of all relevant network security data sources to explore and manage ever-increasing threats and vulnerabilities.
Security teams want a full view across their system, in real-time, beyond just samples of data or a predefined view when exploring and investigating risks and anomalies.
Falcon LogScale is a transformative and proprietary solution for log management ideal for security professionals. At the heart of Falcon LogScale’s solution is a time-series database engine that is optimized to ingest and aggregate large log data volumes instantly. Falcon LogScale does not require heavy indexing at ingest and instead utilizes HW resources at search - when it is required the most.
Addressing questions such as “why is our performance down?”, “where is this suspicious network activity coming from?”, “what patterns have we had over the last 30 days?” and “what is happening right now?” is what Falcon LogScale is built to do - in real-time. Falcon LogScale also does heavy compression of data as it enters the system, allowing for efficient storage of raw log data.
Falcon LogScale is significantly advancing threat hunting capabilities with a comprehensive border security platform that encompasses all of the system data, structured and unstructured. The platform is purpose-built to ingest and aggregate large log data volumes instantly, analyze and correlate across all of that data within all types of infrastructure.
Falcon LogScale’s proprietary time-series database engine is optimized to ingest and aggregate large log data volumes instantly, analyze and correlate across all data within all types of infrastructure significantly advancing threat hunting capabilities.
Through Falcon LogScale’s live, proactive monitoring, security teams can investigate any threats or compromises and are able to analyze and explore the events being logged every second on network boundary devices.
Gartner coined the term SIEM in 2005 based on a specific set of capabilities, including the ability to analyze event data in real time for early detection of targeted attacks and data breaches. Additionally, a SIEM allows you to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance. The technology aggregates event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry. Also, in a SIEM, event data is combined with contextual information about users, assets, threats and vulnerabilities. The data may be normalized so that events, data and contextual information from disparate sources can be analyzed for specific purposes such as network security, event monitoring, user activity monitoring and compliance reporting. The technology provides real-time analysis of events for security monitoring, query and long-range analytics for historical analysis.
Falcon LogScale doesn’t focus on all those particular capabilities, although topics like real-time analytics of events and long range-queries are strengths of the technology. From our experience, SIEM solutions rarely act as a “one-stop-shop” for management; most of these functions take place outside the SIEM. For example, almost all detections and actions get pushed to SOAR platforms or services like ServiceNow. Falcon LogScale customers do this in conjunction with standard ticketing tools like Jira and dedicated incident management tools like TheHive.
Detect more threats faster and investigate with greater intelligence. Falcon LogScale delivers real-time performance for system monitoring and investigation allowing users to ingest huge amounts of data for ad-hoc queries and search.
Monitoring and searches
With Falcon LogScale’s instant visibility, security teams have continuous insights that enable immediate responses and actions to strengthen the performance across systems, prevent infrastructure breakdowns and protect against attacks.
Developers, security teams and operations managers require visibility across the state of their applications, services, servers, devices and more, all in real time. Falcon LogScale enables teams to understand all of their data to optimize the performance of their applications, prevent infrastructure breakdowns and protect against malware.
As systems become more complex, more surfaces reveal themselves to hackers looking to steal data or inject malware into environments to ultimately bring organizations down. Falcon LogScale enables enterprises to achieve an aggregated view of all relevant network security data sources to explore and manage ever increasing threats and vulnerabilities within one cost effective platform in an easy and intuitive search language.
Ingestion and retention
Limited data retention makes it nearly impossible for teams to see the complete history of an attack, minimizing threat context and hindering an investigator’s ability to effectively find and remediate threats. This lack of access to historical data and contextual information can lead to slower time-to-detect and cause security teams to potentially miss key threat activities as they fall through the visibility gaps, increasing dwell time and putting organizations at risk of a breach.
Falcon LogScale provides the ability to ingest over 1 PB of data each day, allowing organizations to expand the horizon for data retention. Falcon Long Term Repository (LTR) gives you the ability to combine a wide variety of structured, unstructured and semi-structured data and provides access to extended data retention for a year or longer. By giving access to more data — and a longer timeframe to retain that data — your team can gain visibility and threat context across your growing attack surface.
With Falcon LTR, you get deep, contextual and faster analytics on massive amounts of log data combined with enriched security data across endpoints, workloads and identities, including the correlation of Falcon IOCs. With powerful search and threat hunting capabilities, you can observe, analyze and act from all data — both real-time and long-term historic data — and detect potential threats faster and more accurately.
Investigations and responses
The Falcon LogScale data-driven security solution provides incident responders and threat hunters the ability to instantly visualize, search and explore their network data through an intuitive UI.
Falcon LogScale provides network security teams data-driven exploration in a cost effective solution to enable comprehensive log data analysis vs log management processing costs.
Falcon LogScale is significantly advancing threat hunting capabilities with a comprehensive border security platform that encompasses all of the system data, structured and unstructured. The platform is purpose-built to ingest and aggregate large log data volumes instantly, analyze and correlate across all of that data within all types of infrastructure.
Through Falcon LogScale’s live, proactive monitoring, security teams can investigate any threats or compromises and are able to analyze and explore the events being logged every second on network boundary devices.
Imperative in security incident response, Falcon LogScale users have instant access to explore and monitor their logs through centralized logging to make audits quick, easy and secure by enabling the transmission of data from any source.
Falcon LogScale’s instant observability is a critical asset for security event monitoring organizations tasked with thwarting attacks and minimizing dwell time and other time-critical scenarios.