CrowdStrike Falcon LogScale

Beacon v0.0.27 adds optional CrowdStrike Falcon LogScale HTTP Event Collector (HEC) forwarding through the bundled collector. Beacon still writes every normalized endpoint event to the active runtime JSONL log; Falcon HEC forwarding is an additional collector destination for teams that want Beacon telemetry in Falcon LogScale searches and detections. Use this path when you want Beacon’s collector to send OTLP logs, traces, and metrics directly to a customer-managed Falcon LogScale HEC endpoint. The collector stores the Falcon ingest token in local Beacon collector configuration, so provide it through your endpoint-management secret store or deployment tooling.

Runtime log paths

Mode	Runtime log
User mode	`~/.beacon/endpoint/logs/runtime.jsonl`
System mode	`/var/log/beacon-agent/runtime.jsonl`

Use system mode for MDM deployments so every managed endpoint writes to /var/log/beacon-agent/runtime.jsonl while the collector forwards to Falcon LogScale.

Falcon LogScale data connection

Use CrowdStrike Falcon LogScale data onboarding to collect Beacon endpoint telemetry from local JSONL logs. Beacon writes one JSON object per line, so create a custom parser before creating the data connection.

Open data onboarding

In CrowdStrike Falcon, go to Next-Gen SIEM > Log management > Data onboarding.

CrowdStrike Falcon navigation showing Next-Gen SIEM data onboarding under Log management.

Select the Falcon LogScale Collector

Search for logscale, select Falcon LogScale Collector, then choose Configure.

CrowdStrike data connectors page filtered to the Falcon LogScale Collector connector.

Create the Beacon parser

In Parsing and enrichment, select Create new parser. Name the parser beacon-jsonl, choose Blank template, and create the parser.

CrowdStrike create new parser dialog with parser name beacon-jsonl and blank template selected.

Paste this parser script:

/*
# Beacon Endpoint Agent JSONL Parser
Parses Beacon endpoint telemetry where each log line is one JSON object.
*/
| Vendor := "beacon"
| Parser.version := "1.0.0"
| ecs.version := "8.17.0"
| Cps.version := "2.0.0"
| event.module := "endpoint-agent"
| observer.type := "endpoint"
| parseJson(prefix="Vendor.", excludeEmpty="true", handleNull="discard")
| Vendor.timestamp := Vendor.timestamp
| parseTimestamp(field="Vendor.timestamp", format="yyyy-MM-dd'T'HH:mm:ss[.SSS]XXX", timezone="UTC")
| event.kind := "event"
| event.action := Vendor.event.action
| event.module := Vendor.product
| event.provider := Vendor.vendor
| event.dataset := "beacon.endpoint-agent"
| event.code := Vendor.schema_version
| array:append(array="event.category[]", values=[Vendor.event.category])
| array:append(array="event.type[]", values=["info"])
| observer.vendor := Vendor.vendor
| observer.product := Vendor.product
| observer.version := Vendor.endpoint.agent_version
| host.hostname := Vendor.endpoint.hostname
| host.os.type := Vendor.endpoint.os
| user.name := Vendor.user.name
| user.id := Vendor.user.uid
| process.command_line := Vendor.command.command
| process.name := Vendor.tool.name
| file.path := Vendor.file.path
| file.hash.sha256 := Vendor.file.diff_hash
| message := Vendor.message

Use this sample event as parser test data:

{"timestamp":"2026-05-26T15:48:00Z","vendor":"beacon","product":"endpoint-agent","schema_version":"1.0","event":{"kind":"agent_runtime","action":"tool_use","category":"process"},"severity":"info","endpoint":{"hostname":"test-mac","os":"darwin","agent_version":"0.0.1"},"user":{"name":"justin","uid":"501"},"harness":{"name":"cursor"},"tool":{"name":"shell","command":"go test ./..."},"message":"Command executed"}

Run the parser test and confirm the parsed fields include event.dataset, event.action, host.hostname, user.name, process.name, and message. Events that include command.command also populate process.command_line. Save the parser when the sample event passes.

CrowdStrike parser editor with the Beacon JSONL parser script and test data results.

Create the data connection

Return to the Falcon LogScale Collector connection details. Enter a connection name such as Beacon Agent Logs, add a description, select the beacon-jsonl parser, enable host enrichment if desired, accept the connector terms, and create the connection.

CrowdStrike new connection details page with Beacon Agent Logs and the beacon-jsonl parser selected.

After creating the connection, open the connection actions menu and select Generate API key. Save the generated API key with the connection API URL so your LogScale Collector can authenticate when forwarding Beacon events.

CrowdStrike connection details page for Beacon Agent Logs showing the Generate API key action.

Run a smoke test

Run this local smoke test, replacing the token value with the API key generated for your data connection:

export FALCON_HEC_TOKEN='PASTE_API_KEY_HERE'
curl -sS -X POST 'https://7231610123af4402acf206f8f29d9fcd.ingest.us-2.crowdstrike.com/services/collector' \
  -H "Authorization: Bearer ${FALCON_HEC_TOKEN}" \
  -H 'Content-Type: application/json' \
  -d '{"event":{"timestamp":"2026-05-26T16:02:00Z","vendor":"beacon","product":"endpoint-agent","schema_version":"1.0","event":{"kind":"agent_runtime","action":"tool_use","category":"process"},"severity":"info","endpoint":{"hostname":"test-mac","os":"darwin","agent_version":"0.0.1"},"user":{"name":"justin","uid":"501"},"harness":{"name":"cursor"},"tool":{"name":"shell","command":"crowdstrike ingest test"},"message":"Beacon CrowdStrike HEC smoke test"},"source":"beacon-endpoint-agent","sourcetype":"beacon-jsonl"}'

A working connection returns a success JSON response. Then search LogScale for the smoke-test message:

"Beacon CrowdStrike HEC smoke test"

This is what the smoke-test event looks like in CrowdStrike:

CrowdStrike Advanced event search showing a parsed Beacon endpoint smoke test event with normalized fields.

Beacon-managed forwarding

Pass Falcon HEC settings during endpoint install:

sudo /opt/beacon/bin/beacon endpoint install \
  --system \
  --falcon-hec-endpoint https://cloud.<region>.humio.com/api/v1/ingest/hec \
  --falcon-hec-token "$FALCON_HEC_TOKEN" \
  --falcon-index beacon \
  --falcon-source beacon-endpoint-agent

To add or update Falcon HEC on an existing endpoint, run repair with the same destination flags:

sudo /opt/beacon/bin/beacon endpoint repair \
  --system \
  --falcon-hec-endpoint https://cloud.<region>.humio.com/api/v1/ingest/hec \
  --falcon-hec-token "$FALCON_HEC_TOKEN" \
  --falcon-index beacon

Settings

Setting	Recommendation
Endpoint	Falcon LogScale HEC ingest endpoint URL
Token	Falcon LogScale ingest token from your LogScale administrator
Repository	Optional repository for multi-repository tokens, passed with `--falcon-index`
Source	Optional source value. Defaults to `beacon-endpoint-agent`
Parser or sourcetype	Optional parser or sourcetype value. Defaults to `json`
TLS	Use normal certificate validation. Reserve `--falcon-insecure-skip-verify` for private test endpoints

If your Falcon LogScale endpoint uses a private CA, pass the CA bundle with --falcon-ca-file /path/to/ca.pem.

Collector behavior

When Falcon HEC is configured, Beacon writes a collector pipeline with both exporters enabled:

exporters: [beaconjson, falcon_hec]

The beaconjson exporter preserves the local runtime log. The falcon_hec exporter sends Beacon-normalized OTLP logs, traces, and metrics to Falcon LogScale as newline-delimited HEC events. Each HEC payload wraps the normalized Beacon event object, includes an @timestamp, and uses the configured token, source, sourcetype, and repository.

Validate forwarding

Confirm Beacon has the destination configured:

sudo /opt/beacon/bin/beacon endpoint status --system --json

In the JSON output, check that destinations.falcon_hec.configured is true and that the endpoint, repository, source, and sourcetype match your deployment. The token is not printed. Then write a validation event:

sudo /opt/beacon/bin/beacon endpoint wazuh validate --system

Search Falcon LogScale for the validation event and normalized Beacon fields:

product=endpoint-agent event.category=validation

"Beacon endpoint Wazuh validation event"

If events do not appear, verify that the collector service is running, the Falcon HEC endpoint accepts the configured token, the repository name matches the token scope, and TLS settings match your LogScale deployment.

sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo launchctl print system/com.beacon.endpoint.collector

Content retention

Beacon content retention controls what can be written to runtime.jsonl and forwarded through Falcon HEC. Use metadata or redacted for stricter deployments:

sudo /opt/beacon/bin/beacon endpoint install \
  --system \
  --content-retention metadata \
  --falcon-hec-endpoint https://cloud.<region>.humio.com/api/v1/ingest/hec \
  --falcon-hec-token "$FALCON_HEC_TOKEN"

Use full only when prompt text, tool input, command output, and retained content match your approved telemetry collection policy.

SIEM forwarding

Review forwarding patterns and validation steps.

Endpoint install

Configure Falcon HEC forwarding during endpoint install.

Endpoint repair

Add or update Falcon HEC forwarding on an existing endpoint.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.

​CrowdStrike Falcon LogScale

​Runtime log paths

​Falcon LogScale data connection

​Open data onboarding

​Select the Falcon LogScale Collector

​Create the Beacon parser

​Create the data connection

​Run a smoke test

​Beacon-managed forwarding

​Settings

​Collector behavior

​Validate forwarding

​Content retention

​Related