Device | Details |
---|---|
Vendor | CrowdStrike |
Device Type | Endpoint Security |
Connection Type | Syslog |
Data Source Name | crowdstrike |
Data Source ID | 1889 |
Download the rpm install packages for the SIEM Connector from the CrowdStrike Falcon website. You may also want to download the latest documentation package to have the “Falcon SIEM Connector Feature Guide” available as a reference.
Unzip the package and make sure you see the following file1:
cs.falconhoseclient-x.x.x-x.el7.centos.x86_64.rpm
Using a file transfer tool, transfer the file to your Linux server and place it in /opt.
Note: One of many options available to use for the transfer is the free WinSCP tool.
Connect to the Linux server through SSH.
Important: When installing the SIEM Connector, you must login as the root user on the server.
Type the following commands to install the connector:
cd /opt rpm -Uvh cs.falconhoseclient-1.0.32-1.el7.centos.x86_64.rpm2
The installer creates a new directory, /opt/crowdstrike, with three sub directories:
bin/ — holds the binary of the actual service, as well as the api Heroffset file.
etc/ — holds the configuration file(s).
log/ — holds the log file as well as the default local output file.
Configure the SIEM Connector to send logs in CEF format to Sheriff CSM:
/opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg
to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
cs.falconhoseclient.cfg
file, set the following parameters: output_format = syslog output_to_file = false send_to_syslog_server = true host = <Sheriff-CSM-Sensor-IP-Address> port = 514 prococol = udp Note: For the host entry, the IP address you specify is the IP address of the Sheriff CSM Sensor.
Save your configuration file.
Start the SIEM Connector service with the following command:
/etc/init.d/cs.falconhoseclientd start
or
service cs.falconhoseclientd start
To verify your setup is correct and your connectivity has been established, you can use the following command:
tail -f /opt/crowdstrike/log/cs.falconhoseclient.log