Harness Falcon Log Collector for Seamless Third-Party Data Collection

In cybersecurity, effective log collection and analysis are critical for identifying and mitigating threats. The Falcon Log Collector is a powerful tool designed to simplify and enhance log ingestion, enabling security teams to gain visibility and take decisive action. In this blog, we’ll explore the Falcon Log Collector, its key capabilities, and how it empowers organizations to stay ahead of sophisticated cyber threats.

What is the Falcon Log Collector?

The Falcon Log Collector is a lightweight, flexible application that simplifies log ingestion from various sources. It seamlessly integrates with CrowdStrike Falcon Next-Gen SIEM to ensure that logs from disparate systems are ingested and analyzed in a centralized location. This capability provides organizations with comprehensive visibility across their IT ecosystem and strengthens their ability to detect, investigate, and respond to threats.

Key Capabilities of the Falcon Log Collector

Data ingestion capabilities:

 The Falcon Log Collector supports a wide range of data sources, including but not limited to:
    – Firewall logs
    – Web proxy logs
    – Syslog (for Linux and other Unix-based systems)
    – Windows Event Logs
    – Custom application logs

This flexibility ensures that organizations can collect and analyze logs from virtually any part of their infrastructure.

Seamless Integration with CrowdStrike Falcon Next-Gen SIEM

The Falcon Log Collector integrates natively with CrowdStrike Falcon Next-Gen SIEM, targeting its ingest API to deliver actionable insights. By routing logs directly into Falcon Next-Gen SIEM, security teams gain access to powerful tools for data correlation, visualization, and threat detection.

Lightweight and Scalable by Design

The Falcon Log Collector is built for scalability. Its lightweight design ensures minimal resource consumption, allowing it to operate efficiently even in large, complex environments. This makes it ideal for enterprises with growing data ingestion needs.

Real-Time Log Ingestion

With the Falcon Log Collector, logs are ingested in real time, ensuring that security teams can respond to threats as they emerge. This capability significantly reduces the time it takes to detect and act on critical security events.

Customizable Data Filtering

Organizations want control over what is ingested into their SIEMs. With the Falcon Log Collector, events can be filtered at the edge. Edge filtering for logging refers to the practice of filtering log data closer to the source of its generation (e.g., on the endpoint device, IoT sensor, or edge server) before forwarding it to a centralized system. Amongst the benefits that may arise from filtering at the edge are:

• Ensuring that only relevant data is collected, reducing noise. 
• Reducing egress costs and saving bandwidth by compressing data before transmission.
• Reducing data ingest, thereby reducing data volume license costs. 
• Ensuring GDPR/privacy associated events don’t leave your infrastructure.

For Windows events, the Falcon Log Collector delivers a lot of configurability. Amongst the options available is the ability to choose which Windows event channels should be collected or which severity levels to collect. Events can also be included or excluded based on Windows event IDs. For all other events, using regular expression filters, events can be either included or excluded.

Secure and Reliable Data Transmission

The Falcon Log Collector uses secure protocols to transmit data, ensuring that sensitive log information remains protected during collection and transport. Additionally, built-in reliability features help ensure that logs are delivered without data loss, even in the event of network disruptions.

Benefits of Using the Falcon Log Collector

• Enhanced Threat Detection
  By consolidating logs from diverse sources, FLC provides the data needed to identify and investigate threats that might otherwise go unnoticed.
  
• Streamlined operations
  The centralized management and real-time processing capabilities reduce the workload on security teams, enabling them to focus on high-priority tasks.
  
• Improved decision making
  With actionable insights generated from collected logs, security teams can make informed decisions quickly. The lightweight design and customizable log filtering reduce resource consumption and data storage costs.

Getting Started with Falcon Log Collector

Setting up the Falcon Log Collector is straightforward:

1. Install and Configure

Download the Falcon Log Collector (this may be listed as the LogScale collector) from the CrowdStrike Console and configure it to collect logs from your desired sources. To Download Navigate to: Support and resources > tools Downloads (make sure you download the latest version, see the FLC release notes for the latest version number and for information about what is new):

2. Send logs into Falcon Next-GEN SIEM

Set up the Falcon Log Collector to forward logs to CrowdStrike Falcon Next-Gen SIEM for analysis.

Sample configuration file for syslog collection:

#####
## Sample configuration file for Linux or Microsoft Windows.
## This is YAML, so structure and indentation is important.
## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
#####

sources:
  syslog_udp_1514:
    type: syslog
    mode: udp
    port: 1514
    sink: next-gen-siem
    ## Optional: Set the maximum event size (in bytes)
    # maxEventSize: 1048576  # 1 MB
    ## The default maxEventSize for syslog over UDP is 2048 bytes. Increase this value if you expect larger syslog messages.

   syslog_tcp_1514:
    type: syslog
    mode: tcp
    port: 1514
    sink: next-gen-siem

sinks:
  next-gen-siem:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    proxy: none
    workers: 4

For additional syslog configuration options for the Falcon Log Collector, see:
https://library.humio.com/falcon-logscale-collector/log-collector-config-advanced-example.html#log_collector_config_example-syslog 

3. Monitor and Optimize

Continuously monitor log ingestion and make adjustments to ensure optimal performance and relevance.

The Falcon Log Collector and its ability to collect, filter, and securely transmit logs from a wide range of sources ensures that organizations have the data they need to maintain a robust security posture. Whether you’re looking to enhance visibility, streamline operations, or improve compliance, The Falcon Log Collector provides the tools to achieve your goals.

Ready to see how the Falcon Log Collector can transform your organization’s security operations? Contact us today or explore the documentation to get started!

Additional Resources

• Log Collector documentation
• Sizing Guide
• Github repo with sample config.yaml files
• Github repo with simple setup instructions
• Check out technical documentation: See the Falcon Next-Gen SIEM User Guide, including information about third-party data ingestion.
• Start onboarding data today: Take the Falcon Next-Gen SIEM fundamentals course (CrowdStrike University subscription required) and watch these Falcon Next-Gen SIEM intro videos.

Watch demo videos: Learn how to detect, investigate and stop threats with Falcon Next-Gen SIEM by viewing fast-paced demos.