flc config updates

Config-Samples/Log-Shippers/Falcon-LogScale-Collector/NG-SIEM/NGS-FLC-BasicLinuxConfig.yaml

@@ -0,0 +1,55 @@
+#####
+## Sample configuration file for Linux.
+## This is YAML, so structure and indentation is important.
+## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
+## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
+#####
+
+## Uncomment dataDirectory if you need to manually set the directory.
+## Note: Not used with Data Ingest / Fleet Management configuration
+#dataDirectory: C:\ProgramData\LogScale Collector
+
+sources:  
+  ## Collect syslog udp 1514.
+  syslog_udp_1514:
+    type: syslog
+    mode: udp
+    port: 1514
+    sink: next-gen-siem-syslog-udp
+    maxEventSize: 2048
+
+  ## Collect local files.
+  var_log:
+    type: file
+    include:
+      - /var/log/apache2/access.log
+      - /var/log/*.log
+    exclude:
+      - /var/log/*.gz
+    sink: next-gen-siem-fileread
+
+## Each sink will have a unique token and url that correspond to Data Connector you wish to send data to.     
+sinks:
+  ## This sink receives data from "syslog_udp_1514" source above  
+  next-gen-siem-syslog-udp:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    maxEventSize: 910000
+    maxBatchSize: 5242880
+    workers: 4
+
+   ## This sink receives data from "var_log" source above 
+  next-gen-siem-fileread:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    maxEventSize: 910000
+    maxBatchSize: 5242880
+    workers: 4

Config-Samples/Log-Shippers/Falcon-LogScale-Collector/NG-SIEM/NGS-FLC-BasicWindowsConfig.yaml

@@ -0,0 +1,57 @@
+#####
+## Sample configuration file for Microsoft Windows.
+## This is YAML, so structure and indentation is important.
+## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
+## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
+#####
+
+## Uncomment dataDirectory if you need to manually set the directory.
+## Note: Not used with Data Ingest / Fleet Management configuration
+#dataDirectory: C:\ProgramData\LogScale Collector
+
+sources:
+  ## Collect windows event logs
+  windows_events:
+    type: wineventlog
+    channels:
+      - name: Application
+      - name: Security
+      - name: System
+      - name: Windows PowerShell
+      - name: ForwardedEvents
+    sink: next-gen-siem-windows
+
+  ## Collect syslog udp 1514.
+  syslog_udp_1514:
+    type: syslog
+    mode: udp
+    port: 1514
+    maxEventSize: 2048
+    sink: next-gen-siem-syslog-udp
+
+## Each sink will have a unique token and url that correspond to Data Connector you wish to send data to.     
+sinks:
+
+  ## This sink receives data from "windows_events" source above   
+  next-gen-siem-windows:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    maxEventSize: 910000
+    maxBatchSize: 5242880
+    workers: 4
+
+  ## This sink receives data from "syslog_udp_1514" source above  
+  next-gen-siem-syslog-udp:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    maxEventSize: 910000
+    maxBatchSize: 5242880
+    workers: 4

Config-Samples/Log-Shippers/Falcon-LogScale-Collector/NG-SIEM/NGS-FLC-MultiSourceWindowsConfig.yaml

@@ -0,0 +1,190 @@
+#####
+## Sample configuration file for Microsoft Windows.
+## This is YAML, so structure and indentation is important.
+## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
+## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
+#####
+
+## Uncomment dataDirectory if you need to manually set the directory.
+## Note: Not used with Data Ingest / Fleet configuration
+#dataDirectory: C:\ProgramData\LogScale Collector
+
+sources:
+  ## Collect windows event logs
+  windows_events:
+    type: wineventlog
+    ## Add other channels by simple adding additional "name" lines.
+    ## The following command can be used to find other channels:
+    ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
+    channels:
+      - name: Application
+        #excludeEventIDs: [903, 900]
+      - name: Security
+        #onlyEventIDs: [4624,4634,4672]
+      - name: System
+      - name: Windows PowerShell
+      - name: ForwardedEvents
+    ## Set language to en-US
+    #language: 1033
+    ## Don't send the raw XML
+    #includeXML: false
+    sink: next-gen-siem-windows
+
+  fileRead:
+    type: file
+    include:
+    - c:\temp\flc_files\csv_sample2.csv
+    exclude: 
+    - c:\temp\flc_files\ignore.txt
+    ## Optional: Exclude files with specific extensions
+    #excludeExtensions:
+    #   - "gz"
+    #   - "zip"
+    ## Configure multiline parsing if needed
+    #multiLineBeginsWith: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    sink: next-gen-siem-fileread
+
+## For Syslog sources, you may configure multiple sources, each with unique port, protocol, and sink configurations. 
+
+  ## Collect syslog udp 1514.
+  syslog_udp_1514:
+    type: syslog
+    mode: udp
+    port: 1514
+    sink: next-gen-siem-syslog-udp
+    ## Optional: Bind to a specific address
+    #bind: "0.0.0.0"
+    ## Optional: Max allowed event size (default = 2048 bytes), messages larger than this will be truncated
+    ## Increase this value if you expect larger syslog messages. 
+    ## Be cautious when increasing this value, as it affects memory usage and network bandwidth.
+    ## The max value is 950000 bytes.
+    maxEventSize: 2048
+
+  ## Collect syslog tcp 1515.
+  syslog_tcp_1515:
+    type: syslog
+    mode: tcp
+    port: 1515
+    sink: next-gen-siem-syslog-tcp
+    ## Optional: Bind to a specific address
+    #bind: "0.0.0.0"
+    ## Optional: Max allowed event size (default = 2048 bytes), messages larger than this will be truncated
+    ## Increase this value if you expect larger syslog messages. 
+    ## Be cautious when increasing this value, as it affects memory usage and network bandwidth.
+    ## The max value is 950000 bytes.
+    maxEventSize: 900000 
+
+## Each sink will have a unique token and url that correspond to Data Connector you wish to send data to.     
+sinks:
+
+  ## This sink matches to the configuration in the "Windows" type sources above  
+  next-gen-siem-windows:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    ## Keep this option as "none" unless you actually need a proxy.
+    proxy: none  
+    ## This sets the maximum single event size to 900KB. You can change as needed.
+    maxEventSize: 910000
+    ## This sets the maximum payload size (bytes) for a single batch of events. The max value is maxBatchSize: 16777216.
+    maxBatchSize: 5242880
+    ## Uncomment if you would like to force a specific level of gzip compression. 9 is the highest.
+    #compression: gzip
+    #compressionLevel: 9
+    ## Uncomment if you want to use disk for event queue storage instead of memory.
+    ## Please note this may be slower than a memory queue.
+    #queue:
+      #type: disk
+      #fullAction: pause
+      #maxLimitInMB: 4096
+    ## Add more workers to processing. The default is 4 workers. 
+    ## This can be increased if FLC is falling behind on processing.
+    workers: 4
+
+  ## This sink matches to the configuration in the "File" type sources above  
+  next-gen-siem-fileread:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    ## Keep this option as "none" unless you actually need a proxy.
+    proxy: none  
+    ## This sets the maximum single event size to 900KB. You can change as needed.
+    maxEventSize: 910000
+    ## This sets the maximum payload size (bytes) for a single batch of events. The max value is maxBatchSize: 16777216.
+    maxBatchSize: 5242880
+    ## Uncomment if you would like to force a specific level of gzip compression. 9 is the highest.
+    #compression: gzip
+    #compressionLevel: 9
+    ## The queue size is reduced to 64 MB because the input is read from persistent files.
+    queue:
+      type: memory  
+      maxLimitInMB: 64
+    ## Add more workers to processing. The default is 4 workers. 
+    ## This can be increased if FLC is falling behind on processing.
+    workers: 4
+
+  ## This sink matches to the configuration in the "UDP Syslog" source above 
+  next-gen-siem-syslog-udp:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    ## Keep this option as "none" unless you actually need a proxy.
+    proxy: none
+    ## This sets the maximum single event size (bytes). The max value is maxEventSize: 950000.
+    maxEventSize: 910000
+    ## This sets the maximum payload size (bytes) for a single batch of events. The max value is maxBatchSize: 16777216.
+    maxBatchSize: 5242880
+    ## Uncomment if you would like to force a specific level of type and level compression. 9 is the highest.
+    ## Default is "auto", which attempts "gzip" and its default compression but falls back to "none" if unsupported.
+    #compression: gzip
+    #compressionLevel: 9
+    ## Uncomment if you want to use disk for event queue storage instead of memory.
+    ## Please note this may be slower than a memory queue.
+    ## You may use a disk queue to persist syslog messages,
+    ## ensuring data integrity during network issues or system restarts.
+    #queue:
+      #type: disk
+      #fullAction: pause
+      #maxLimitInMB: 4096
+    ## Add more workers to processing. The default is 4 workers. 
+    ## This can be increased if FLC is falling behind on processing.
+    workers: 4
+
+   ## This sink matches to the configuration in the "TCP Syslog" source above 
+  next-gen-siem-syslog-tcp:
+    type: hec
+    ## Replace with your specified ingest token.
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
+    ## NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.  
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    ## Keep this option as "none" unless you actually need a proxy.
+    proxy: none
+    ## This sets the maximum single event size (bytes). The max value is maxEventSize: 950000.
+    maxEventSize: 910000
+    ## This sets the maximum payload size (bytes) for a batch of events being uploaded together. The max value is maxBatchSize: 16777216.
+    maxBatchSize: 5242880
+    ## Uncomment if you would like to force a specific level of type and level compression. 9 is the highest.
+    ## Default is "auto", which attempts "gzip" and its default compression but falls back to "none" if unsupported.
+    #compression: gzip
+    #compressionLevel: 9
+    ## Uncomment if you want to use disk for event queue storage instead of memory.
+    ## Please note this may be slower than a memory queue.
+    ## You may use a disk queue to persist syslog messages,
+    ## ensuring data integrity during network issues or system restarts.
+    #queue:
+      #type: disk
+      #fullAction: pause  
+      #maxLimitInMB: 4096
+    ## Add more workers to processing. The default is 4 workers. 
+    ## This can be increased if FLC is falling behind on processing.
+    workers: 4

Config-Samples/Log-Shippers/Falcon-LogScale-Collector/NG-SIEM/NGS-FLC-SyslogOnly.yaml

@@ -0,0 +1,31 @@
+#####
+## Sample configuration file for Linux or Microsoft Windows.
+## This is YAML, so structure and indentation is important.
+## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
+## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
+#####
+
+sources:
+  syslog_udp_1514:
+    type: syslog
+    mode: udp
+    port: 1514
+    sink: next-gen-siem
+
+  syslog_tcp_1514:
+    type: syslog
+    mode: tcp
+    port: 1514
+    sink: next-gen-siem
+
+sinks:
+  next-gen-siem:
+    type: hec
+    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
+    proxy: none
+    workers: 4
+    ## This sets the maximum single event size to. You can change as needed. the maximum value is 950000.
+    maxEventSize: 910000
+    ## This sets the maximum payload size for a single batch of events. The max value is maxBatchSize: 16777216.
+    maxBatchSize: 5242880