Skip to content

This is a minimal container that supports CrowdStrike log ingestion for SIEM purposes.

Notifications You must be signed in to change notification settings

skroutz/Falcon-CrowdStrike-SIEM-Connector

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Falcon-CrowdStrike-SIEM-Connector

This container has all the necessary components to run the Falcon CrowdStrike connector deb package.
There are two ways to use this container.

Using an .env file

To use this image with a configuration file, fill the .env file in the root directory of this repository with the following contents:

CLIENT_ID=<YOUR_CLIENT_ID>
CLIENT_SECRET=<YOUR_CLIENT_SECRET>
API_BASE_URL=<YOUR_API_URL>

The API_BASE_URL depends on the region you are:

Make sure to check out the documentation just in case any of these values changes.

The CLIENT_ID and CLIENT_SECRET can be produced by visiting /api-clients-and-keys UI.

Building

~$ docker build . -t <name>:<tag>

Running

~$ docker run <name>:<tag>

Debugging

Make sure you have a running container first (the container doesn't stop running as it is polling logs).

~$ docker exec -it <container_name> bash

Using arguments

To use this image with run-time arguments, skip the file and add them during run-time.

Building

~$ docker build . -t <name>:<tag>

Running

~$ docker run \
	-e CLIENT_ID=<CLIENT_ID> \
	-e CLIENT_SECRET=<CLIENT_SECRET> \
	-e API_BASE_URL=<API_BASE_URL> \
	-e LOG_DIR=/var/log/crowdstrike/falconhoseclient/ \
	-e LOG_FILE=output \
	<name>:<tag>

Debugging

Make sure you have a running container first (the container doesn't stop running as it is polling logs).

~$ docker exec -it <container_name> bash

docker-compose

If you have docker-compose on your machine you can simply run:

~$ docker-compose up -d # To spin things up
~$ docker-compose ps    # To show process
~$ docker-compose logs  # To show logs
~$ docker-compose down  # To spin down

Notes

This image is built for Linux x64 so you might need to do some adjustments for other architectures.

About

This is a minimal container that supports CrowdStrike log ingestion for SIEM purposes.

Resources

Stars

Watchers

Forks

Packages

 
 
 

Languages

  • Dockerfile 68.1%
  • Shell 31.9%