From 1f811f2cbc2fa249026c617589854bc7bcdef739 Mon Sep 17 00:00:00 2001
From: Attila Szakacs <attila.szakacs@axoflow.com>
Date: Fri, 12 May 2023 13:30:52 +0200
Subject: [PATCH 1/2] logscale: add logscale() destination

Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
---
 scl/CMakeLists.txt         |  1 +
 scl/Makefile.am            |  1 +
 scl/logscale/logscale.conf | 76 ++++++++++++++++++++++++++++++++++++++
 tests/copyright/policy     |  1 +
 4 files changed, 79 insertions(+)
 create mode 100644 scl/logscale/logscale.conf

diff --git a/scl/CMakeLists.txt b/scl/CMakeLists.txt
index 01c6433270..78e2f20873 100644
--- a/scl/CMakeLists.txt
+++ b/scl/CMakeLists.txt
@@ -20,6 +20,7 @@ set(SCL_DIRS
     loadbalancer
     loggly
     logmatic
+    logscale
     mariadb
     mbox
     netskope
diff --git a/scl/Makefile.am b/scl/Makefile.am
index edff673337..f8c7b9ef6f 100644
--- a/scl/Makefile.am
+++ b/scl/Makefile.am
@@ -20,6 +20,7 @@ SCL_SUBDIRS	= \
 	loadbalancer	\
 	loggly		\
 	logmatic	\
+	logscale	\
 	mariadb		\
 	mbox		\
 	netskope	\
diff --git a/scl/logscale/logscale.conf b/scl/logscale/logscale.conf
new file mode 100644
index 0000000000..604954a194
--- /dev/null
+++ b/scl/logscale/logscale.conf
@@ -0,0 +1,76 @@
+#############################################################################
+# Copyright (c) 2023 Attila Szakacs
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 as published
+# by the Free Software Foundation, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+# As an additional exemption you are allowed to compile & link against the
+# OpenSSL libraries as published by the OpenSSL project. See the file
+# COPYING for details.
+#
+#############################################################################
+
+# Batching best practices: https://library.humio.com/falcon-logscale/api-ingest.html#api-ingest-best-practices
+
+@requires json-plugin
+
+
+# https://library.humio.com/falcon-logscale/api-ingest.html#api-ingest-structured-data
+block destination logscale(
+  url("https://cloud.humio.com")
+  token()
+
+  rawstring("${MESSAGE}")
+  timestamp("${S_ISODATE}")
+  timezone("")
+  attributes("--scope rfc5424 --exclude MESSAGE --exclude DATE --leave-initial-dot")
+
+  batch_lines(1000)
+  batch_bytes(1024kB)
+  batch_timeout(1)
+  workers(8)
+  timeout(10)
+
+  content_type("application/json")
+  extra_headers("")
+  use_system_cert_store(yes)
+  ...)
+{
+
+@requires http "The logscale() driver depends on the syslog-ng http module, please install the syslog-ng-mod-http (Debian & derivatives) or the syslog-ng-http (RHEL & co) package"
+
+  http(
+    url("`url`/api/v1/ingest/humio-structured")
+    headers(
+      "Authorization: Bearer `token`"
+      "Content-Type: `content_type`"
+      `extra_headers`
+    )
+    delimiter(",")
+    body-prefix('[{"events":[')
+    body('$(format-json --scope none --omit-empty-values
+              rawstring=`rawstring`
+              timestamp=`timestamp`
+              timezone=`timezone`
+              attributes=$(if ("`attributes`" ne "") $(format-json --scope none `attributes`) ""))'
+    )
+    body-suffix(']}]')
+    batch-lines(`batch_lines`)
+    batch-bytes(`batch_bytes`)
+    batch-timeout(`batch_timeout`)
+    timeout(`timeout`)
+    workers(`workers`)
+    use_system_cert_store(`use_system_cert_store`)
+    `__VARARGS__`
+  );
+};
diff --git a/tests/copyright/policy b/tests/copyright/policy
index bdd6b90ab4..13c1724fb3 100644
--- a/tests/copyright/policy
+++ b/tests/copyright/policy
@@ -177,6 +177,7 @@ modules/python/python-flags.(c|h)$
 modules/python/tests/test_python_options.c$
 scl/fortigate/.*\.conf$
 scl/cee/.*\.conf$
+scl/logscale/logscale\.conf$
 scl/mariadb/.*\.conf$
 scl/python/python-modules\.conf$
 scl/splunk/splunk\.conf$

From a43000effc7d8984cd0302e27886c33d872a1694 Mon Sep 17 00:00:00 2001
From: Attila Szakacs <attila.szakacs@axoflow.com>
Date: Fri, 12 May 2023 13:42:50 +0200
Subject: [PATCH 2/2] news: add entry for #4472

Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
---
 news/feature-4472.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 news/feature-4472.md

diff --git a/news/feature-4472.md b/news/feature-4472.md
new file mode 100644
index 0000000000..638f2af2f0
--- /dev/null
+++ b/news/feature-4472.md
@@ -0,0 +1,23 @@
+Sending messages to CrowdStrike Falcon LogScale (Humio)
+
+The `logscale()` destination feeds LogScale via the [Ingest API](https://library.humio.com/falcon-logscale/api-ingest.html#api-ingest-structured-data).
+
+Minimal config:
+```
+destination d_logscale {
+  logscale(
+    token("my-token")
+  );
+};
+```
+Additional options include:
+  * `url()`
+  * `rawstring()`
+  * `timestamp()`
+  * `timezone()`
+  * `attributes()`
+  * `extra-headers()`
+  * `content-type()`
+
+
+__TODO: Add Andreas Friedmann and Ryan Faircloth to Contributors!!!!!__
\ No newline at end of file