CrowdStrike integration not working

[gtgod1]

Integration Name

CrowdStrike [crowdstrike]

Dataset Name

No response

Integration Version

1.42.0

Agent Version

8.15.1

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.1

OS Version and Architecture

rhel 8.5

Software/API Version

v2

Error Message

output of the crowdstrike siem integrator config is set to json. but I get this error in the logs

Processor "json" with tag "decode_json" in pipeline "logs-crowdstrike.falcon-1.42.0" failed with message "Unexpected character ('/' (code 47)): Expected space separating root-level values\n at [Source: (StringReader); line: 1, column: 6]"

Event Original

No response

What did you do?

reinstalled integreation

What did you see?

    {
  "_index": ".ds-logs-crowdstrike.falcon-default-2024.09.13-000013",
  "_id": "7VIGFZIBJj9lF61IaE3x",
  "_version": 1,
  "_score": 0,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "name": "elkapplcdcpvm09.nyumc.org",
      "id": "048da647-43d1-47dc-be17-733883f03e64",
      "ephemeral_id": "f53c5413-3099-4b01-a971-90216c6729a6",
      "type": "filebeat",
      "version": "8.15.1"
    },
    "@timestamp": "2024-09-21T14:36:53.252Z",
    "ecs": {
      "version": "8.11.0"
    },
    "log": {
      "file": {
        "path": "/var/log/crowdstrike/falconhoseclient/cs.falconhoseclientworkstations.log"
      },
      "offset": 0,
      "flags": [
        "truncated",
        "multiline"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "crowdstrike.falcon"
    },
    "elastic_agent": {
      "id": "048da647-43d1-47dc-be17-733883f03e64",
      "version": "8.15.1",
      "snapshot": false
    },"elastic_agent.id": [
      "048da647-43d1-47dc-be17-733883f03e64"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "input.type": [
      "log"
    ],
    "log.offset": [
      0
    ],
    "log.flags": [
      "truncated",
      "multiline"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "forwarded",
      "crowdstrike-falcon"
    ],
    "event.ingested": [
      "2024-09-21T14:39:54.000Z"
    ],
    "@timestamp": [
      "2024-09-21T14:36:53.252Z"
    ],
    "agent.id": [
      "048da647-43d1-47dc-be17-733883f03e64"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "error.message": [
      "Processor \"json\" with tag \"decode_json\" in pipeline \"logs-crowdstrike.falcon-1.42.0\" failed with message \"Unexpected character ('/' (code 47)): Expected space separating root-level values\\n at [Source: (StringReader); line: 1, column: 6]\""
    ],
    "data_stream.dataset": [
      "crowdstrike.falcon"
    ],
    "log.file.path": [
      "/var/log/crowdstrike/falconhoseclient/cs.falconhoseclientworkstations.log"
    ],
    "agent.ephemeral_id": [
      "f53c5413-3099-4b01-a971-90216c6729a6"
    ],
    "agent.version": [
      "8.15.1"
    ],
    "event.dataset": [
      "crowdstrike.falcon"
    ]
  }
}

What did you expect to see?

parsed data

Anything else?

No response

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@gtgod1 It would be helpful to provide an event with "Preserve original event" enabled; this data should be sanitised. Note though that since the integration is collected data from logs, you could examine the the file at /var/log/crowdstrike/falconhoseclient/cs.falconhoseclientworkstations.log to check that it is valid JSON. The error is complaining about an / at column 6 of the line it's failing on. If you are not getting any data ingested, it should be very common that you see this. My guess is that whatever is writing the logs is also prepending the messages with some text (maybe a path?). Can you post the prefix (say first ten characters) of a message?

[gtgod1]

@efd6 Sorry for the late response, but I noticed there is the ability to do an API pull instead of the Siem connector for the integration, so I am using that instead. It works much better.

[AnginAbroyan]

@efd6 Sorry for the late response, but I noticed there is the ability to do an API pull instead of the Siem connector for the integration, so I am using that instead. It works much better.

Can you please advise what did I do wrong? I try to get the logs via Rest API in Fleet Crowdstrike integration. I've entered the secret, client id, base url and url token, but don't get any data from crowdstrike.

[efd6]

@AnginAbroyan Sorry, but there is not enough information there for me to be able to resolve that.