# CROWDSTRIKE
#### Introduction:
The Falcon[ SIEM Connector](https://www.crowdstrike.com/resources/data-sheets/falcon-connector/) provides users a turnkey, SIEM-consumable data stream. The Falcon SIEM Connector:
· Transforms Crowdstrike API data into a format that[ a SIEM](https://www.crowdstrike.com/epp-101/what-is-siem-in-cybersecurity/) can consume
· Maintains the connection to the CrowdStrike Event Streaming API and your SIEM
· Manages the data-stream pointer to prevent data loss
\
Prerequisites:
Before using the Falcon SIEM Connector, you’ll want to first define the API client and set its scope. Refer to this[ guide to getting access to the CrowdStrike API](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) for setting up a new API client key. For the new API client, make sure the scope includes read access for Event streams.
\
The CrowdStrike Falcon SIEM Connector (SIEM Connector) runs as a service on a local Linux server.
The resource requirements (CPU/Memory/Hard drive) are minimal and the system can be a VM.
· Supported OS (64-bit only):
o CentOS/RHEL 6.x-7.x
o Ubuntu 14.x
o Ubuntu 16.04
o Ubuntu 18.04
· Connectivity: Internet connectivity and ability to connect the CrowdStrike Cloud (HTTPS/TCP 443)
· Authorization: Crowdstrike API Event Streaming scope access
· Time: The date and time on the host running the Falcon SIEM Connector must be current (NTP is recommended)
\
Installation and Configuration:
To get started, you need to download the rpm install packages for the SIEM Connector from the [CrowdStrike Falcon UI](https://falcon.crowdstrike.com/support/tool-downloads). For a more comprehensive guide, please visit the [SIEM Connector Feature Guide](https://falcon.crowdstrike.com/support/documentation/14/siem-connector)
Download the package for your operating system to the Linux server you’d like to use.
Open a terminal and run the installation command where \ is the installer that you had downloaded :
· CentOS:\
sudo rpm -Uvh \
· Ubuntu:\
sudo dpkg -i \
The last step before starting the SIEM Connector is to pick a configuration. There are a couple of decisions to make. The SIEM connector can:
· Output to a local file (your SIEM or other tools would have to actively read from that file)
· Output to a syslog server (most modern SIEMs have a build in syslog receiver)
· Output to a format such as CEF or LEEF for your SIEM
Here is a flow diagram of how to pick the right configuration file:
To get you started, we’ll use the default output to a JSON file and only change the Client ID and Client Secret. Since we’re just going to be testing with a single SIEM Connector, the app\_id can stay as the default.
Open the SIEM Connector config file with sudo and your favorite editor and change the client\_id and client\_secret options:
/opt/crowdstrike/etc/cs.falconhoseclient.cfg
Once you save the configuration file you can start the SIEM connector service with one of the following commands:
· CentOS:\
sudo service cs.falconhoseclientd start
· Ubuntu 14.x:\
sudo start cs.falconhoseclientd
· Ubuntu 16.04 and later:\
sudo systemctl start cs.falconhoseclientd.service
To verify that your setup was correct and your connectivity has been established, you can check the log file with the following command:
tail -f /var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log
You should see a Heartbeat. If you see an error message that mentions the access token, double check your Crowdstrike API Client ID and Secret.
#### Conclusion:
The process above shows how to get started with the CrowdStrike Falcon SIEM Connector. There are many more options for this connector (using a proxy to reach the streaming API, custom log formats and syslog configurations, etc.) that can be found in the “[SIEM Connector Feature Guide](https://falcon.crowdstrike.com/support/documentation/14/siem-connector)” as part of the Documentation package in the Falcon UI.