With the release of QuickConnect — a GUI-based tool to connect sources and destinations for quick and easy data onboarding and routing.
Since QuickConnect serves as a drag-and-drop alternative to Stream Routes, let’s take a look at how an administrator would push their Palo Alto firewall logs to their SIEM and an S3 archive using both methods.
For SIEM data, the administrator enriches events with GeoIP data while also reducing volume by removing null fields. Said admin also transforms the logs to comply with downstream formatting requirements. Finally, the administrator sends raw logs to S3 in case there’s a need for them later.
Here is a simple diagram of the environment:
Using Routes
When using Routes in Cribl Stream, our administrator navigates to Data > Sources and configures a syslog source to receive their Palo Alto logs. Next stop is Data > Destinations where they configure their SIEM output, let’s say a syslog output, and their S3 bucket. Assuming they already visited the Dispensary and found the Palo Alto Pack, the next step is creating two routes: palo2SIEM and palo2S3. Each route would trigger off the Palo traffic. The SIEM route calls out the cribl-palo-alto-networks pack while the S3 route utilizes the passthru pipeline.
Oh Stream how I configure thee, let me count the clicks. All said and done, it is roughly 20 clicks (not counting adding the cribl-palo pack) and navigating to three different pages!
Let’s Try it with QuickConnect
Now let’s do the same thing with QuickConnect.
Our admin starts by clicking Routing > QuickConnect. From there, the administrator can add their Sources and Destinations on the same page. Lastly, said admin just needs to click and drag to connect the Palo Alto syslog source to both destinations and select the pipeline or pack they want in between the two!
Hot dog that’s fast… err quick. For those of you keeping track, this comes out to 14 clicks.
Bottom Line
With the introduction of QuickConnect for Cribl Stream, administrators now have two ways to connect data inputs (sources) to their outputs (destinations). For those of you that eat, sleep, and breathe Regex, you may prefer to use Routes to send data to and fro. For admins that like a more visual interface, QuickConnect provides a GUI-based approach to data onboarding and routing, so you can drag and drop your way to full control over your observability data, while reducing time to value.
Now, go get connecting! Which “route” will you choose?
The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.
