Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring CrowdStrike Falcon Host to Communicate with JSA


To send LEEF events from CrowdStrike Falcon Host to JSA, you must install and configure Falcon SIEM connector.

You must have access with administrator privileges to the Falcon Streaming API. To enable access, contact Crowdstrike support (

  1. Obtain an API key and UUID to configure SIEM Connector.
    1. Log in to the Falcon user interface.

    2. Select People App, and then click the Customer tab.

      The People App option is only visible to admin users.

    3. Click Generate new API key.

    4. Make a copy of the API key and the UUID.

  2. Install the Falcon SIEM Connector. Note

    The Falcon SIEM Connector needs to be deployed on premise on a system running either CentOS or RHEL 6.x-7.x. Internet connectivity to the CrowdStrike Cloud is also required.


    You must have Admin (root) privileges.

    • Use the provided RPM to install the Falcon SIEM Connector.

      rpm -Uhv /path/to/file/cs.falconhoseclient-<build_version>.<OS_version>.rpm

    The Falcon SIEM Connector installs in the /opt/crowdstrike/ directory by default.

    A service is created in the /etc/init.d/cs.falconhoseclientd/ directory.

  3. Configure the SIEM Connector to forward LEEF events to JSA.

    The configuration files are located in the /opt/crowdstrike/etc/ directory.

    • Rename cs.falconhoseclient.leef.cfg to cs.falconhoseclient.cfg for LEEF configuration settings. The SIEM Connector uses cs.falconhoseclient.cfg configuration by default.

    The following table describes some of the key parameter values for forwarding LEEF events to JSA.

    Table 1: Key Parameter Values





    The version of authentication to be used. In this case, it is the API Key Authentication version.



    The SIEM connector connects to this endpoint URL.



    An arbitrary string identifier for connecting to Falcon Streaming API.

    Any string. For example, FHAPI-LEEF


    The API key is used as the credential for client verification.

    Obtained at step 1


    The UUID is used as the credential for client verification.

    Obtained at step 1


    To enable or disable syslog push to syslog server, set the flag to true or false.



    The IP or host name of the SIEM.

    The JSA SIEM IP or host name where the Connector is forwarding the LEEF events.


    Header prefix and fields are delimited by this value.

    The value must be a pipe (|).


    The delimiter value that is used to separate key-value pairs.

    The value must be a tab (\t).


    This datetime field value is converted to specified time format.

    The default field is devTime (device time). If a custom LEEF key is used for setting device time, use a different field name .

  4. Start the SIEM Connector service by typing the following command:

    service cs.falconhoseclientd start

    1. If you want to stop the service, type the following command:

      service cs.falconhoseclientd stop

    2. If you want to restart the service, type the following command:

      service cs.falconhoseclientd restart

Verify that Falcon SIEM Connector is configured to send events to JSA.

Related Documentation