How to Complete Your LogScale Observability Strategy with Grafana
CrowdStrike Falcon® LogScale, formerly known as Humio, provides a full range of dashboarding and live query capabilities out of the box. Sometimes, however, you’ll work in an environment where there are other solutions alongside LogScale. For example, let’s say your operations team takes an observability approach that includes metrics scraped by Prometheus, tracing with Jaeger, and dashboard visualizations with Grafana. LogScale may just be one part of a wider strategy, but integrating LogScale into Grafana is simple!
Before we show how to link up LogScale with Grafana, we’ll assume you have met the following two prerequisites:
- You have a LogScale instance up and running, whether that’s a self-hosted deployment or an instance of Falcon LogScale Community Edition, running on LogScale Cloud.
- You have a repository in your LogScale instance with data in it.
For this demo, we’ll use:
- A Falcon LogScale Community Edition license
- The grafana/grafana image from Dockerhub
- A LogScale repository setup for ingesting httpd access log data
Are you ready? Let’s roll.
Step 1: Install the Humio Datasource Plugin
The key connector that facilitates this integration between LogScale and Grafana is the Humio Datasource plugin for Grafana. At the time of writing, the plugin requires Grafana 8.x.x, so keep that in mind when installing in your environment.
First, we’ll cover the steps for setting up the plugin as if you were running Grafana natively on an operating system. If you’re following along just to test out the plugin or want to get up and running sooner, jump ahead to the section below entitled “Containerized Quickstart”.
Installing and configuring Grafana is outside of the scope of this demo. We’ve already installed Grafana using our package manager. Doing so gives us a grafana-cli utility which we can use to install the Humio Datasource plugin.
$ sudo grafana-cli plugins install humio-datasource installing humio-datasource @ 3.2.4 from: https://grafana.com/api/plugins/humio-datasource/versions/3.2.4/download into: /var/lib/grafana/plugins ✔ Installed humio-datasource successfully Restart grafana after installing plugins . <service grafana-server restart> $ sudo systemctl restart grafana-server.service
Now, when you navigate in the Grafana interface to Configuration > Plugins, you’ll see the datasource plugin installed!
Grafana has a handy option that automatically installs the Humio Datasource plugin when running a container. If you’re running Grafana containerized, then run the following command for a ready-to-use Grafana instance with the Humio Datasource plugin installed.
$ docker run -d -p 3000:3000 --name=grafana -e "GF_INSTALL_PLUGINS=humio-datasource" grafana/grafana
This command runs a Grafana container in detached mode, exposing port 3000 on the host and in the container, and installs the humio-datasource plugin. This will make the Grafana interface available at https://www.crowdstrike.com:3000 in your browser.
As a quick sanity check, let’s make sure our Grafana container is running.
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2c862ff60a5f grafana/grafana "/run.sh" About a minute ago Up About a minute 0.0.0.0:3000->3000/tcp grafana
Now that Grafana is up and running, navigate to https://www.crowdstrike.com:3000 in your browser and log in. Since this is a container without a specific authentication scheme, you can use admin for both the username and password of the initial login. Now, when you go to Configuration > Plugins and search for “Humio”, you’ll see the plugin installed.
Step 2: Add the Datasource
Now, we can add our data source.
If you’re not already in the Plugins section of Grafana, then navigate to Configuration > Plugins and search for “Humio.” Click the box containing the Humio plugin. You’ll see some documentation about the plugin on this page, but what we’re interested in is the blue button to Create a Humio data source. Click that button to move on to the data source configuration.
Although there is a lot of information on the configuration page, we’ll focus on the most important settings.
First, the name of the data source is prepopulated with “Humio,” but you can change this if you’d like. For our demo, we’ll continue using the default name.
Second, the connection URL will vary depending on your LogScale environment and license. We’re using Humio Community Edition, so our URL is https://cloud.community.humio.com. However, you can consult LogScale’s Endpoints Documentation for the URL you should use.
Finally, we need to configure authentication. Grafana needs some sort of credential or token to authenticate with LogScale to access repository data. There are several different settings you can use to meet the needs of your environment. For ease of configuration, we’ll use a Personal API Token and add it to the last box shown here:
Warning: If you’re actively using your personal API token for other use cases, resetting it will impact any other application using it!
To generate a personal access token, log into LogScale and navigate to User Menu > Manage Account > Personal API Token. Then, set or reset your token. Once you have your token, you can copy its value and paste it into the Grafana “Token” box pictured above. The last step is to click Save & test to verify connectivity.
Step 3: Run Queries and Configure Dashboards
Running queries on LogScale data in Grafana works much in the same way as querying directly in LogScale. For example, taking our demo repository with accesslog data, we can run a timeChart in Grafana the same way we would do it in LogScale. We navigate to the “Explore” section of Grafana, select our repository, and run the query.
The Grafana Integrations page in the LogScale documentation has some tips on how certain outputs of LogScale map to Grafana.
Queries can get rather long, especially in complex use cases. Fortunately, LogScale lets you save queries, and the Humio Datasource plugin lets you use those saved queries directly in Grafana!
Let’s start with our example query from above:
#type=accesslog | timeChart()
Save this query in the LogScale interface as “accesslog_timechart”. Now you can go back to the query input in Grafana and reference the saved query as $accesslog_timechart()
When we use our saved query, everything looks the same, so we can consider that a success!
Now that we have a baseline for what a Grafana panel looks like, we can put this together with other data sources into a single dashboard, effectively completing our observability strategy using LogScale as a key piece of the puzzle. Here’s an example of what it might look like to put LogScale logs alongside CPU metrics gathered from Prometheus and trace counts from Jaeger.
In this guide, we walked through how to connect Grafana with LogScale so that you can view and query LogScale data from within Grafana. We covered installing the Humio Datasource plugin — both natively in an operating system and using the Grafana docker image. We also covered configuration and authentication from Grafana to a LogScale repository with a Personal API Token. Finally, we demonstrated how to run LogScale queries in Grafana and leverage saved queries for portability.
For many organizations, LogScale may just be one piece of a wider observability strategy that also leverages Grafana for dashboards and visualizations. Integrating LogScale alongside other observability tools is straightforward. For technical details on other aspects of the Humio Datasource plugin for Grafana, check out the Grafana Integration documentation.
- Read why CrowdStrike Falcon Insight XDR is the next frontier for detection and response.
- See how CrowdStrike is driving the convergence of security and observability with Falcon LogScale and Falcon Complete LogScale.
- Watch a Falcon Insight XDR demo.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.
- Contact us to learn more about Falcon Insight XDR and Falcon LogScale.