Skip to content

Logging

jshcodes edited this page Sep 16, 2023 · 8 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Logging

Documentation Version Page Updated

To assist with development and troubleshooting, FalconPy supports debug logging of all:

  • API endpoints used, including:
    • Operation ID
    • Route
    • HTTP method
  • Headers and Payloads sent
  • API responses and status codes received

FalconPy introduced debug logging functionality in version 1.3.0.

This feature must be explicitely turned on using the debug keyword when creating an instance of a Service Class or the Uber Class.

By default, debug logging is disabled, meaning debug log entries are not generated regardless of the current application debug level.

Logging enablement status is a property of the FalconInterface class, so it is shared by default among Service Classes that are sharing an auth_object via Object Authentication. This feature can be enabled or disabled per Service Class by providing the debug keyword when creating an instance of the desired Service Class.

Log sanitization

The following values are redacted from debug logs by default:

  • CrowdStrike API Client IDs
  • CrowdStrike API Client Secrets
  • Bearer tokens
  • Child tenant IDs

Debug log sanitization can be disabled by setting the sanitize_log keyword to False.

⚠️ WARNING ⚠️

Disabling log sanitization will result in the values mentioned above being shown to the console or in the created log file. This setting should be used in production environments with extreme caution and not be left enabled when it is not required.

Basic usage examples

The following examples demonstrate leveraging debug logging while querying the Hosts service collection.

Passing credentials

⚠️ WARNING ⚠️

client_id, client_secret and member_cid are keyword arguments that contain your CrowdStrike API credentials and the customer ID of a child tenant. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does NOT recommend hard coding API credentials or customer identifiers within source code.

Console logging example

import logging
from falconpy import Hosts
# Configure our log level.
logging.basicConfig(level=logging.DEBUG)
# Create an instance of the Hosts Service Class, activating debugging when doing so.
hosts = Hosts(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET,
              debug=True
              )

# Use the Hosts Service Class to call the QueryDevicesByFilterScroll and GetDeviceDetails
# operations to retrieve details for one of the endpoints within our CrowdStrike tenant.
host = hosts.get_device_details(hosts.query_devices_by_filter_scroll(limit=1)["body"]["resources"])

File logging example

import logging
from falconpy import Hosts
# Configure our log level, message format and debug filename.
logging.basicConfig(format="%(asctime)s %(levelname)s %(message)s",
                    filename="debug.log",
                    level=logging.DEBUG
                    )
# Create an instance of the Hosts Service Class, activating debugging when doing so.
hosts = Hosts(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET,
              debug=True
              )

# Use the Hosts Service Class to call the QueryDevicesByFilterScroll and GetDeviceDetails
# operations to retrieve details for one of the endpoints within our CrowdStrike tenant.
hosts.get_device_details(hosts.query_devices_by_filter_scroll(limit=1)["body"]["resources"])

Disabling log sanitization example

import logging
from falconpy import Hosts
# Configure our log level.
logging.basicConfig(level=logging.DEBUG)
# Create an instance of the Hosts Service Class, activating
# debugging and disabling log sanitization when doing so.
hosts = Hosts(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET,
              debug=True,
              sanitize_log=False
              )

# Use the Hosts Service Class to call the QueryDevicesByFilterScroll and GetDeviceDetails
# operations to retrieve details for one of the endpoints within our CrowdStrike tenant.
host = hosts.get_device_details(hosts.query_devices_by_filter_scroll(limit=1)["body"]["resources"])

CrowdStrike Falcon

Clone this wiki locally