Case Study

At an International Convenience Store Conglomerate, Cribl Stream Paid for Itself by Optimizing Logs—Now It’s Simplifying Compliance and Increasing Business Visibility

star-round-framed
Highlights

“WHEN WE PLUG A NEW DATA SOURCE INTO CRIBL STREAM, WE CAN SORT OUT WHAT WE NEED TO INGEST INTO SPLUNK IN LESS THAN AN HOUR, SOMETIMES MINUTES, AND ADJUST THE FILTER ON THE FLY. ADDING A NEW DATA SOURCE IN SPLUNK TYPICALLY TOOK A FULL WEEK.”

SECURITY AND COMPLIANCE DIRECTOR, IT

“RIGHT OUT OF THE BOX CRIBL REDUCED LOG VOLUME, CLOUD EGRESS COSTS, AND SPLUNK LICENSE COSTS.”

SECURITY AND COMPLIANCE DIRECTOR, IT

“REDUCTION IN LOG VOLUME PAID FOR CRIBL OUT OF THE BOX—AND EVERYTHING ELSE IS GRAVY. WHEN I TALK TO PEOPLE ABOUT CRIBL, I SAY, ‘MAKE A WISH LIST FOR WHAT YOU WANT TO DO WITH YOUR LOG DATA AND TAKE THAT WISH LIST TO CRIBL. DON’T JUST ASK THEM TO DO WHAT YOU’RE ALREADY DOING TODAY BECAUSE WITH CRIBL YOU CAN DO MUCH MORE.’”

SECURITY AND COMPLIANCE DIRECTOR, IT

Share:

An international convenience store conglomerate operates 14,000 convenience stores in 20 countries and supplies jet fuel to more than 140 airports. Business is growing—and so is the log data produced by security devices, servers, and applications running in multiple clouds and colocation facilities in North America and Europe.

“We used to route all security log data to Splunk for monitoring,” says the international convenience store’s Security and Compliance Director, IT. “But only a small fraction of the 25 billion monthly events we see are significant. To make the most of our volume-based Splunk license, we had to be strategic about which data we were sending to Splunk for analysis.”

While he was at it, the director also wanted to start collecting application event data for the developers who produce the games on their website, which brings customers into stores to collect their prizes. Otherwise, developers would find their own ways to get that data, a security risk.

Cloud Egress and License Savings “Right Out of the Box”
The convenience store conglomerate found its answer in Cribl Stream, recommended by Trace3, an IT service provider. “We liked the flexibility of having a single observability pipeline that can collect data from any source and forward it to any destination, including Splunk or a data lake in AWS S3,” says Security and Compliance Director, IT. Cribl worker nodes installed in public clouds encrypt, compress, reduce, and enrich log data before forwarding it to the destination.

“On the first day of the proof of value I knew we’d found our solution. Right out of the box Cribl Stream reduced log volume, cloud egress costs, and Splunk license costs.”

During the proof of value, the team saw:
  • 53% reduction in size of Windows logs by cleaning up white space, dropping low-value fields like comments, and reformatting in JSON.
  • 61% reduction in size of Okta logs and 47% fewer logs by dropping synthetic log data.
  • 41% reduction in firewall logs.
  • 40% reduction in size of Windows Service logs.
  • 99% reduction in number of Perfmon logs and 93% reduction in size of Perfmon logs.
More Splunk License Headroom, New Data Sources In Minutes
The data volume that Splunk ingests dropped by about half, freeing up existing license for more data sources. Equally valuable, adding new data sources for security investigations now takes minutes instead of days.

“When we plug a new data source into Cribl Stream, we can sort out what we need to ingest into Splunk in less than an hour, sometimes minutes, and adjust the filter on the fly. In contrast, adding a new data source in Splunk typically took a full week. We’ve shifted our efforts from mundane work like adding data sources to strategic activities that strengthen security and compliance.”

Simpler Compliance with Automated Retention
Cribl Stream also simplified compliance with Payment Card Industry Data Security Standards (PCI DSS) rules. Depending on the nature of the data, retention periods vary from 90 days to 13 months. For simplicity’s sake, the company used to retain it all for 13 months.

“Now that we have Cribl Stream look at the host, user, and event type to fork the relevant events to the Splunk index with the right retention period, storage costs have dropped.”

Getting the Right Data to the People Who Need It

Having met goals to reduce log volume and costs, the team is starting to use Cribl Stream to help IT and security practitioners work smarter. For example, to record changes to a SaaS application that’s subject to SOX controls, the director quickly wrote a script that detects file changes and who made them. Cribl Stream forks the information to a Splunk index. “Automating this process satisfies the auditors and our own internal controls,” the director says.

Windows admins can more quickly zero in on performance issues thanks to the more compact Perfmon logs. A Cribl lookup table filters the data based on host and process names, ignoring processes that are currently running. Developers can see significant application events and monitor resources. “We’re pulling application logs into Cribl and then forking them to developers’ Slack channels,” the director explains.

And Cribl Stream saved the day when Splunk temporarily couldn’t retrieve log data from some cloud apps. the team temporarily pointed all data sources to Cribl, which forwarded the important log data to Splunk. “Reduction in log volume paid for Cribl out of the box—everything else is gravy,” the director says.

“When I talk to people about Cribl, I say, ‘Make a wish list for what you want to do with your log data, and take that wish list to Cribl. Don’t just ask them to do what you’re already doing today because with Cribl you can do much more.’”

Find out how your business can implement an observability pipeline to parse, restructure, and enrich data in flight, while cutting costs and simplifying operations.

Get Cribl, and take control of your data.

TL;DR

About Cribl

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s vendor-agnostic solutions to analyze, collect, process, and route all IT and security data from any source or in any destination, delivering the choice, control, and flexibility required to adapt to their ever-changing needs. Cribl’s product suite, which is used by Fortune 1000 companies globally, is purpose-built for IT and Security, including Cribl Stream, the industry’s leading observability pipeline, Cribl Edge, an intelligent vendor-neutral agent, and Cribl Search, the industry’s first search-in-place solution. Founded in 2018, Cribl is a remote-first workforce with an office in San Francisco, CA.

Learn more: cribl.io
Try now: Cribl Sandboxes
Join us: Slack community
Follow us: LinkedIn and Twitter

Pixel Mask

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?