I had similar issue. I'm on ELK stack 18.14.2. crowdstrike integration version 1.39.0, and crowdstrike falcon intelligence 1.1.3.
I use the falcon siem connector, and see logs in /var/log/crowdstrike/falconhoseclient/output and alerts coming in. As well as collecting crowdstrike logs via API.
For the API collector, having "Alerts" and "Hosts" scopes enabled. For the SIEM connector, I have API client with: "Alerts", "Hosts", "Detections" and "Falcon Data Replicator" and "Event Streams" enabled. I think the "Event Streams" should just be enough for that.
went to the host running elastic-agent where the integration is installed, and did a "systemctl restart elastic-agent". That seems to have fixed the issue.
'I went to the host running the elastic-agent where the integration is installed and did a "systemctl restart elastic-agent". That seems to have fixed the issue.'
I can’t do that on CrowdStrike, can I? I don't have an elastic-agent on CrowdStrike since it's a web-based service. Or do I need to install the agent on the Elastic server itself?
'/var/log/crowdstrike/falconhoseclient/output'
Is it normal that I don’t have this log file at all on my Linux server where Elastic is running?
Also, I found the file on the Linux server that was disabled: /etc/filebeat/modules.d/crowdstrike.yml.disabled.
I activated it and modified it like this:
cat /etc/filebeat/modules.d/crowdstrike.yml
module: crowdstrike
falcon:
enabled: true
Set custom paths for the log files. If left empty,
Filebeat will choose the paths depending on your OS.
I assume filebeat would support same functionality like the agent integration.
With that, you have 3 options:
get info about events/alerts/hosts from Falcon Siem connector:
use the FDR and fetch logs from i.e. S3, or query CS Rest API.
I have the first installed on a VM, where Agent is running, and parses previously mentioned log file which is created and filled by the Falcon SIEM Connector.
Additionally have it querying the Rest API.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.