What Makes CrowdStrike Falcon LogScale So Fast
At CrowdStrike, I speak with lots of customers. One question I get all the time is, “What makes Falcon LogScale so fast?”
Speed is a relative term in log management; technology can feel either fast or slow depending on what you’re used to. I’ve learned that what people really want to know is what makes Falcon LogScale faster than their current log management platform.
Before I answer that, let’s first examine why speed is top of mind in log management.
Why Speed Is Essential in Log Management
Speed is important in log management because time is always a limiting factor. Whether you work in SecOps, DevOps or ITOps, you’re constantly searching your logs for information — and you can’t take action until you’ve got those results.
Say a new exploit comes out and you have a set of field names to search. Depending on how much data you’re searching, legacy log management platforms could take hours to return a query — if it comes back at all. Extrapolate that out to a team of analysts searching for similar patterns, and a bad query could translate to many hours wasted … and more time for the enemy to move laterally within your environment.
Search speed isn’t just important to big security operations, however. For a small business that constantly runs queries, shaving a few minutes off each search can add up to a lot of productivity gained or lost over an extended period of time.
The Speed of Falcon LogScale
CrowdStrike Falcon® LogScale is CrowdStrike’s log management and observability solution. The index-free technology provides a modern alternative to traditional log management platforms, which make it cost-prohibitive and inefficient to log everything.
Falcon LogScale can ingest and search log data at petabyte scale with minimal latency. In my experience, most customers are less concerned with the nitty-gritty details of the technology, and more concerned with having a solution that is consistent, performant and scalable.
So is it? The speed of Falcon LogScale really comes down to three things. I’ll start with the facts, then share an analogy.
- Compression: With Falcon LogScale, data is primarily stored in compressed segments on disk. Multiple levels of compression allow these segments to contain extremely large volumes of data. At query time, segments are loaded into memory, uncompressed and then searched.
- Tags: Tags are identifiers that are added to the data at ingest, e.g. #type=boxes. The tags allow Falcon LogScale to immediately identify the segments to be searched.
- Bloom filters: Bloom filters loosely describe the data contained in each segment for searching. They provide a “no” or “maybe” answer when asked if a query matches a segment.
So how does this translate into fast searches? Pretend you’ve got 100 boxes packed full of household objects, and you’d like to know which boxes contain shoes. A tag tells you which 10 boxes to check first. The bloom filter then tells you that 8 of those 10 boxes don’t contain shoes. That leaves two out of the original 100 boxes to search. You now dump out the contents of just those two boxes and find shoes in one of them. Instead of searching all 100 boxes, you’ve immediately narrowed it down to just two, thereby massively reducing the number of boxes to search.
In business, search speeds vary depending on many factors, such as the type of data you’re searching, how much data you’re searching, the time period, etc. But assuming equivalent resources, the brute-force search technology of Falcon LogScale routinely outperforms legacy log management platforms, allowing you to react and respond to threats faster.
Flexibility Matters, Too
Back to our exploit example above. If you want to pinpoint every system impacted by the exploit, you’ll have to pivot often as you search through different fields. You may have an idea the string should be present somewhere in the logs, but you don’t know where. This could take days — or weeks — of searching using legacy log management tools.
With the flexible search of Falcon LogScale, you can type in the keyword you’re searching for without any prior knowledge of the data. As the search executes, it streams back results, allowing you to refine the search on the fly. This flexibility allows you to quickly pivot until you find exactly what you need — resulting in much faster investigations.
Compare that to running a query, waiting for the results, refining the query, waiting for results, attempting to pivot, etc. Falcon LogScale is the antidote to this outdated search methodology.
Speed at Any Scale
Speed makes a big difference when you start to scale into more modern, high-intensity environments. For every 10,000 sensors deployed, roughly one terabyte (TB) of log data is generated per day. So for a customer with 100,000 sensors, that’s 10 TB of telemetry per day — a huge amount of data for most customers to deal with.
With legacy platforms, these high data volumes not only equates to high licensing costs, they require a huge amount of resources to manage.
That 10 TB adds up quickly, too. In less than four months, you might be looking at over a petabyte of data. Things get even slower when you’re dealing with hot, warm and cold storage, and you’ve got to spend time figuring out how you want that layered and set up.
Conversely, with Falcon LogScale, your log data is always searchable. There are no tiers — once the data is ingested, you can instantly search it for as long as your retention period dictates. And we pair this speed with a low total cost of ownership that allows you to ingest and search all your log data in a way that was never possible before.
As we’ve covered in this post, Falcon LogScale offers incredibly fast and flexible search that routinely outperforms legacy platforms. One customer who just wrapped up a POV with Falcon LogScale said, “This is the search speed we deserve.”
Regardless of your role, if you search log data, Falcon LogScale will give you the fast answers you need to power your productivity and protect your business.
- Try Falcon LogScale for free with the Falcon LogScale Community Edition.
- Contact us to schedule a personalized demo of Falcon LogScale.
- Read the 2022 Forrester Study: The Total Economic Impact™ of CrowdStrike Falcon LogScale to learn the benefits and cost savings of Falcon LogScale.
- Visit the Falcon LogScale product page to learn more.
- Learn more about the powerful, cloud-native CrowdStrike Falcon® platform.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.