Configure CrowdStrike Log Collector
The Alert Logic CrowdStrike collector is an AWS-based API Poll (PAWS) log collector library mechanism designed to collect logs from the CrowdStrike platform.
You must complete the following to successfully configure and verify your CrowdStrike log collector:
- Obtain an API client ID and secret key
- Configure collection in the Alert Logic console
- Verify successful configuration
Obtain an API client ID and secret key
You must have an admin role in CrowdStrike Falcon platform to generate an API client ID and an API secret key in the CrowdStrike Falcon platform.
To generate the API client ID and secret key:
- On the CrowdStrike Falcon platform, navigate to API Clients and Keys.
- In the OAuth2 API Clients table, click Add new API client.
- Enter the following details to define your API client:
- In the Client Name field, enter the client name.
- In the Description field, enter the description for the client.
- In the API Scopes field, enable the Read scope for Incident API and enable the Read scope for the Detection API.
- Click Add to save the API client to generate the Client ID and Secret Key. Copy and paste the Client ID and Secret Key in a safe place for later.
Configure collection in the Alert Logic console
After you generate the API client ID and the API secret key, you must complete the next steps of the collection configuration process in the Alert Logic console. You can configure more than one instance of the CrowdStrike collector if you need to monitor logs for more than one CrowdStrike account.
To access the Application Registry page, click the menu icon (). Click Configure, and then click Application Registry.
To add a new CrowdStrike collector:
- In the Application Registry, click the CrowdStrike tile.
- In the Application Name field, enter a descriptive name for the collector.
- In the Client ID field, enter the client ID you generated from Obtain an API client ID and secret key.
- In the Secret Key field, enter your secret key you generated from Obtain an API client ID and secret key.
- Under API Names, select the Incident and Detect logs for Alert Logic to collect from CrowdStrike.
- (Optional) In the Collection Start field, provide a collection start time stamp in (2020-01-01T16:00:00Z) format.
- Click ADD. Wait 10 minutes for the application to be successfully created and appear in your application list. Do not click ADD again while the request is processing.
Verify successful configuration
You can verify that your CrowdStrike collector is configured correctly in the Configured Applications tab within approximately 10 minutes of adding the integration. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.
To view logs collected by a specific CrowdStrike collector:
- In the Application Registry, click the Configured Applications tab.
- Click the View dropdown menu for the CrowdStrike collector.
- Click VIEW LOGS to open log search results for the collector.
The Health console also indicates whether the application collector is healthy or unhealthy. For more information, see Health.