Skip to content

CrowdStrike integration not working #11204

New issue
New issue
Open
Open
CrowdStrike integration not working#11204

Description

@gtgod1

gtgod1
openedon Sep 21, 2024

Integration Name

CrowdStrike [crowdstrike]

Dataset Name

No response

Integration Version

1.42.0

Agent Version

8.15.1

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.1

OS Version and Architecture

rhel 8.5

Software/API Version

v2

Error Message

output of the crowdstrike siem integrator config is set to json. but I get this error in the logs

Processor "json" with tag "decode_json" in pipeline "logs-crowdstrike.falcon-1.42.0" failed with message "Unexpected character ('/' (code 47)): Expected space separating root-level values\n at [Source: (StringReader); line: 1, column: 6]"

Event Original

No response

What did you do?

reinstalled integreation

What did you see?

    {
  "_index": ".ds-logs-crowdstrike.falcon-default-2024.09.13-000013",
  "_id": "7VIGFZIBJj9lF61IaE3x",
  "_version": 1,
  "_score": 0,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "name": "elkapplcdcpvm09.nyumc.org",
      "id": "048da647-43d1-47dc-be17-733883f03e64",
      "ephemeral_id": "f53c5413-3099-4b01-a971-90216c6729a6",
      "type": "filebeat",
      "version": "8.15.1"
    },
    "@timestamp": "2024-09-21T14:36:53.252Z",
    "ecs": {
      "version": "8.11.0"
    },
    "log": {
      "file": {
        "path": "/var/log/crowdstrike/falconhoseclient/cs.falconhoseclientworkstations.log"
      },
      "offset": 0,
      "flags": [
        "truncated",
        "multiline"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "crowdstrike.falcon"
    },
    "elastic_agent": {
      "id": "048da647-43d1-47dc-be17-733883f03e64",
      "version": "8.15.1",
      "snapshot": false
    },"elastic_agent.id": [
      "048da647-43d1-47dc-be17-733883f03e64"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "input.type": [
      "log"
    ],
    "log.offset": [
      0
    ],
    "log.flags": [
      "truncated",
      "multiline"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "forwarded",
      "crowdstrike-falcon"
    ],
    "event.ingested": [
      "2024-09-21T14:39:54.000Z"
    ],
    "@timestamp": [
      "2024-09-21T14:36:53.252Z"
    ],
    "agent.id": [
      "048da647-43d1-47dc-be17-733883f03e64"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "error.message": [
      "Processor \"json\" with tag \"decode_json\" in pipeline \"logs-crowdstrike.falcon-1.42.0\" failed with message \"Unexpected character ('/' (code 47)): Expected space separating root-level values\\n at [Source: (StringReader); line: 1, column: 6]\""
    ],
    "data_stream.dataset": [
      "crowdstrike.falcon"
    ],
    "log.file.path": [
      "/var/log/crowdstrike/falconhoseclient/cs.falconhoseclientworkstations.log"
    ],
    "agent.ephemeral_id": [
      "f53c5413-3099-4b01-a971-90216c6729a6"
    ],
    "agent.version": [
      "8.15.1"
    ],
    "event.dataset": [
      "crowdstrike.falcon"
    ]
  }
}

What did you expect to see?

parsed data

Anything else?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Integration:crowdstrikeCrowdStrikeTeam:Security-Service IntegrationsSecurity Service Integrations Team [elastic/security-service-integrations]needs:triagetroubleshooting

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions