Crowdstrike Falcon Integration


CrowdStrike Falcon is an endpoint security platform designed to detect and prevent cyberattacks. It is developed by CrowdStrike, a cybersecurity company that specializes in cloud-based endpoint protection. Falcon Host uses artificial intelligence and machine learning algorithms to analyze behavior patterns and detect potential threats on endpoints, such as laptops, desktops, and servers.


  • Logsign 6.3.23+ versions support this integration.


CrowdStrike Falcon SIEM Connector runs as a service on a local Linux server. Source requirements (CPU/Memory/Hard drive) are minimal, the system can be a VM.


  1. Supported OS (64 bit only):
  • CentOS/RHEL 6.x-7.x
  • Ubuntu 14.x
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu 20.04
  1. Connection: Internet connection and ability to connect to CrowdStrike Cloud should be (HTTPS/TCP 443).
  2. Authorization: Crowdstrike API Event Streaming scope access must be provided.
  3. Time: The date and time on the host running the Falcon SIEM Connector must be current (NTP recommended).
  4. You need to download the RPM installation packages for the SIEM Connector from the CrowdStrike Falcon UI.



  1. You need to download the package of your operating system to the Linux server you want to use. Open a terminal and run the install command where the installer you downloaded is <installer package>
  • CentOS:
    sudo rpm -Uvh <installer package>
  • Ubuntu:
    sudo dpkg -i <installer package>
  1. Falcon SIEM Connector is installed in /opt/crowdstrike/ by default. 
  2. Configure the SIEM Connector to forward Json events to Logsign. The configuration files are located in the /opt/crowdstrike/etc/ directory.
  3. SIEM connector uses the /opt/crowdstrike/etc/cs.falconhoseclient.cfg configuration by default.
  4. Open the /opt/crowdstrike/etc/cs.falconhoseclient.cfg file with the text editor and make the following edits:


  • app_id = Write the Logsign SIEM
  • client_id = Add registered client_id.
  • client_secret = Add registered client_secret.
  • output_format = json.
  • EventTypeCollection enable all events:
  • DetectionSummaryEvent = true
  • AuthActivityAuditEvent = true
  • UserActivityAuditEvent = true
  • HashSpreadingEvent = true
  • RemoteResponseSessionStartEvent = true
  • RemoteResponseSessionEndEvent = true


Steps for Syslog Forwarding

Below is an example showing how to forward logs in JSON format via syslog. If it does not exist, please add it:


Replace `<syslog_server_ip>` with the IP address of your SIEM server. Also, ensure the `port` value is set to the appropriate syslog port (commonly 514).

Save the Configuration File:

Save the changes and exit the editor. If you are using the Nano editor, you can save the changes with `CTRL + O`, and exit with `CTRL + X`.


11.After saving the configuration file, you can start the SIEM connector service with one of the following commands:

  • CentOS:
    sudo service cs.falconhoseclientd start
  • Ubuntu 14.x:
    sudo start cs.falconhoseclientd
  • Ubuntu 16.04 and after:
    sudo systemctl start cs.falconhoseclientd.service


12.To verify that your setup is correct and your connection is established, you can check the log file with the following command:

  • journalctl -u /var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log

13. With these steps, the forwarding requirements are completed.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.