Introducing Cribl LogStream v1.1

Written by Dritan Bitincka

November 12, 2018

We’re pleased to unveil our v1.1 release with several new capabilities and a host of new features

This version of Cribl LogStream continues our promise to deliver unique intelligence, control and compliance over your logs and metrics data in real-time. It puts the admins in control and gives users the right data, with the right context, delivered to the right systems to enable operations, security and analytics without pushing every requirement back to developers, vendors or source systems.

Version 1.1 adds support for new sources, new destinations, out-of-the-box content, knowledge library, and introduces a new deployment model focused on scalability


New Sources and Destinations


New Sources

  • Elastic Beats: We now support data ingestion from Elastic Beats using the Elastic Bulk API. If you have a Beats infrastructure you can now point it to Cribl.
  • TCP JSON: This version adds support for high performance ingestion via a simple TCP JSON protocol. TLS and authentication tokens are also supported.
  • HTTP/S: In addition, ingestion via HTTP/HTTPS is now supported using a new Cribl Event API. Authentication tokens are supported, too.

New Destinations

  • Splunk HEC: With this version, a Cribl pipeline can send data to a Splunk HEC receiver. Advanced settings for queue and routing are also supported.
  • Splunk Load Balanced:  This version adds support for load balancing to Splunk receivers. Read about our new history-based, adaptive load balancing method here.
  • Elasticsearch: You can now use Cribl to send outgoing data to an Elasticsearch cluster using the Elastic Bulk API.
  • Amazon Kinesis Data Streams:  This version also adds support for sending the output of a pipeline to a Kinesis Data Stream.
  • Honeycomb: In addition, we also now support Honeycomb datasets as pipeline destinations (via HTTPS).


Out of The Box Content and Knowledge Library

With this version we started shipping out-of-the-box content in the form of data processing pipelines and knowledge libraries.

PipelinesThis version ships with 3 pipelines that target data sources that are known to have low signal-to-noise ratio. By default, they are passive/not associated with any route but they can be modified per user requirements. In our testing all 3 pipelines showed data savings of over 30%. YMMV.

  • Windows Event Logs Pipeline: Cleans up specific Event Codes, and drops superfluous descriptions/text bodies.
  • Cisco ASA Pipeline: Removes unncesssary connection teardown messages and smartly samples events that indicate permitted traffic.
  • Palo Alto Traffic Pipeline: Removes events with log_subtype=start as they often have incorrect app assignment and smartly but aggressively samples traffic with 0 bytes and that that flows from trusted to trusted zones.

Knowledge Library: This version also ships with a library of some of the most common regular expressions. Like the pipelines above, the regex library can be extended and users can edit or add their own. Library entries can then be searched, retrieved and used while building functions.


Scalable Splunk Deployment Model

With addition of HEC and Load Balancing to as outputs to multiple Splunk receivers, as well as based on customer demand, we are now updating our guidance for deploying Cribl in a distributed Splunk environment.


The following options are now supported:

Option A: Deploying Cribl on a Splunk Heavy Forwader
Option B: Deploying Cribl on a Splunk Indexer and directly listening for parsed data
Option C: Deploying Cribl on a Splunk Indexer (when no HFs are available)

The recommended and correct option will depend on your requirements and architecture. However, on all cases Cribl will work with parsed data.


I’d be remiss if I didn’t mention FDM – the Fine Dark Mode! Version 1.1 introduces an exquisitely beautiful and disruptive innovation that makes the UI easier on your eyes 🙂  The switch can be found under Settings | Display Settings


If you are interested in Cribl, please check out cribl.io and download your copy to get started. If you’d like more details on installation or configuration, see our documentation. If you need assistance, please join us in Slack #cribl, tweet at us @cribl_io, or contact us via hello@cribl.io. We’d love to help you!

Enjoy it!  — The Cribl Team

Get Cribl LogStream Now!

Questions about our technology? We’d love to chat with you.

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?