Back to the blog
AdobeStock_623844718-2
Cribl StreamEngineering

Monitoring Cribl Stream with Elasticsearch

Robbert Hink Headshot
Robbert Hink 
 

Last edited: February 5, 2024

Are you managing a Cribl environment? We love that for you; you’re at the forefront of complex data orchestration. As the steward of this dynamic data ecosystem, you have to manage and optimize the flow of information from diverse sources. As data volumes grow, the struggle gets even more real.

No worries, though. You’ve got Cribl Stream.

Monitoring Stream is critical. When you do it effectively, you can address issues, enhance operational efficiency, and maintain peak performance in your data strategy.

Elasticsearch is one way to do that, with its capabilities for quick searches, ability to handle large data volumes and AI-driven insights.

Whether you’re already an Elastic shop, are interested in custom dashboard functionalities, or want to explore some cool features, Cribl offers the flexibility to direct Cribl Metrics/Logs to your chosen destination.

Let’s get into it.

How?

Getting Started

See how quickly Elasticsearch can help troubleshoot your Cribl setups.

This short demo only uses Cribl Stream, but full instructions are over on GitHub, covering:

  • Elasticsearch preparation with Index Templates

  • Cribl Pipeline for mapping conflicts and ECS support

  • Populating leader logs for the included Dashboard

Cribl Configuration

  1. Go to Stream > Manage > (Select a Worker Group) > Data > Destinations and enter elasticsearch

word-image-56776-1-1

  • Go to Elasticsearch and then Add Destination

  • Set Output ID to cribl_elasticsearch

  • Set Index or Data Stream* to `metrics-cribl-internal`

  • Fill in the appropriate Bulk API URL and Authentication for your Elasticsearch cluster:

word-image-56776-2-1

  • Save and go to Data > Sources and enter cribl

word-image-56776-3-1

  • Go to Cribl Internal and then CriblLogs

  • Go to Connected Destinations to enable QuickConnect with your Elasticsearch destination and the passthru pipeline:

word-image-56776-4-1

  • Go to Pre-Processing and set an __index field to logs-cribl-internal. (Optional: set a custom value in the custom_id field)

word-image-56776-5-1

  • Save and select CriblMetrics

  • Go to Connected Destinations to enable QuickConnect with your Elasticsearch destination and the passthru pipeline. (Optional: add the cribl_metrics_rollup pipeline for reduced storage by aggregated metrics)

word-image-56776-6-1

  • Go to Pre-Processing and set an __index field to metrics-cribl-internal. (Optional: set a custom value with custom_id here too)

word-image-56776-7-1

  • Save and then commit and deploy the changes

Kibana Configuration

Dashboards, as well as Rules, can be imported with the Kibana UI:

  • Download this file (link).

  • Sign in to your Kibana space.

  • Go to Management > Stack Management:

word-image-56776-8

  • Go to Saved Objects:

word-image-56776-9

  • Select Import:

word-image-56776-10

  • Click Import under the Select a file to import section and select the downloaded file:

word-image-56776-11

  • Click Import again:

word-image-56776-12

You should now have imported all available Dashboards and Rules! If you’re running into issues here, note that the Kibana setting xpack.encryptedSavedObjects.encryptionKey may need to be configured.

The Demo

From Management > Stack Management > Rules, you can now enable the included Rules:

word-image-56776-13

Go to Dashboards and select the Cribl tag to filter for all Cribl dashboards easily:

filter_cribl_dashboards

Go to the Cribl Metrics – Overview dashboard—a go-to hub for effortlessly gauging your cluster’s performance.

Quickly see if Groups, Workers, or Worker Processes stopped reporting metrics:

word-image-56776-15

At a glance, spot outliers for workers in the Overview. Afraid of load distribution imbalance? The dashboard shows this too:

cribl_metrics_overview

You can Drill In to the details of Worker Processes or Sources and Destinations:

overview_drill-in_wp

After narrowing down a time range, we can open the Cribl Home – Logs dashboard, to see if the logs provide clarity:

move_to_logs

What’s Next?

So now you’ve seen how quickly and effectively we can monitor Cribl. Clone and create your dashboards or use some of the features not mentioned here, such as Machine Learning or ES|QL.

Also, follow the instructions on our GitHub page for the whole experience. Feel free to contribute or report issues there.

You’re welcome to share feedback and ideas in our community slack channel. Are you not a member of our Slack Community? Join us!

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Previous articleNext article

More from the blog

cribl-search-og-1.jpg
Cribl Search
Engineering
1/22/2025

Cribl Search - Searching Using the API

Sidd Shah Headshot
Sidd Shah  
AdobeStock_303116781.jpeg
Engineering
Cribl Stream
1/21/2025

Unravelling SNMP Trap Varbind Translation with Cribl

Josh Biggley
Josh Biggley  
Redis.jpg
Cribl Stream
Engineering
1/16/2025

Streamlining Data Insights: Advanced Aggregation with Cribl Stream and Redis

Darren Dance
Darren Dance  

get started

Choose how to get started

See

Cribl

See demos by use case, by yourself or with one of our team.

Schedule a demo
Interactive Demo Center

Try

Cribl

Get hands-on with a Sandbox or guided Cloud Trial.

Try a Sandbox
Start a Cloud Trial

Free

Cribl

Process up to 1TB/day, no license required.

Cribl.Cloud account
Download