Route data to multiple destinations
Enrich data events with business or service context
Search and analyze data directly at its source, an S3 bucket, or Cribl Lake
Reduce the size of data
Shape data to optimize its value
Store data in S3 buckets or Cribl Lake
Replay data from low-cost storage
Collect logs and metrics from host devices
Centrally receive and route telemetry to all your tools
Redact or mask sensitive data
Optimize data for better threat detection and response
Streamline infrastructure to reduce complexity and cost
Simplify Kubernetes data collection
Optimize logs for value
Control how telemetry is stored
Easily handle new cloud telemetry
Ensure freedom in your tech stack
Accelerate the value of AIOps
Effortlessly search, collect, process, route and store telemetry from every corner of your infrastructure—in the cloud, on-premises, or both—with Cribl. Try the Cribl Suite of products today.
Learn moreGet started quickly without managing infrastructure
Get telemetry data from anywhere to anywhere
Streamline collection with a scalable, vendor-neutral agent
Easily access and explore telemetry from anywhere, anytime
Store, access, and replay telemetry.
AI-powered tools designed to maximize productivity
Instrument, collect, observe
Get hands-on support from Cribl experts to quickly deploy and optimize Cribl solutions for your unique data environment.
Work with certified partners to get up and running fast. Access expert-level support and get guidance on your data strategy.
Get inspired by how our customers are innovating IT, security, and observability. They inspire us daily!
Read customer storiesFREE training and certs for data pros
Log in or sign up to start learning
Step-by-step guidance and best practices
Tutorials for Sandboxes & Cribl.Cloud
Ask questions and share user experiences
Troubleshooting tips, and Q&A archive
The latest software features and updates
Get older versions of Cribl software
For registered licensed customers
Advice throughout your Cribl journey
Connect with Cribl partners to transform your data and drive real results.
Join the Cribl Partner Program for resources to boost success.
Log in to the Cribl Partner Portal for the latest resources, tools, and updates.
Case Study
“WITH CRIBL.CLOUD, WE SUCCESSFULLY HIJACKED THE ENDGAME DATA STREAM. EVEN BETTER, I CARVED UP ALL SEVEN DIFFERENT DATA TYPES IN THE ENDGAME STREAM, SENDING EACH ONE TO ITS OWN PIPELINE.”
SHELDON CARMICHAEL,
INFORMATION SECURITY ARCHITECT
“I SPENT A COUPLE OF WEEKS CASUALLY WORKING THROUGH CRIBL PIPELINES TO DO THE MOST REDUCTION OUT OF THE GATE. WE’RE REDUCING 9.25TB OF DAILY EDR DATA DOWN TO A LITTLE OVER 5TB A DAY — 41% TOTAL REDUCTION. INSTEAD OF HOLDING DATA IN ELASTIC FOR SEVEN DAYS, WE’RE HOLDING IT FOR 45.”
SHELDON CARMICHAEL,
INFORMATION SECURITY ARCHITECT
Share:
To spot unusual activity on endpoints, including point-of-sale (POS) devices, Sally Beauty’s security team wanted a cleaner way to bring Endgame endpoint detection and response (EDR) data into Elastic Cloud. “Like many data sources, Endgame doesn’t let you pick and choose which components of the data stream you send, and where,” says Sheldon, Information Security Architect for Sally Beauty. That meant some data sent to Elastic Cloud was redundant. Other data wasn’t properly converted to the Elastic Common Schema (ECS), slowing down threat investigation and remediation.
“We wanted a more resilient and flexible data pipeline,” Sheldon says. The immediate need was converting the right Endgame data to ECS, and dropping unneeded fields to make room for additional data sources and retain relevant data for longer.
“We don’t want our security engineers spending hours becoming wizards in Elastic, Logstash, and syslog-ng. With Cribl, they don’t have to, which frees up more time for our real jobs – security. That’s Cribl’s biggest ROI.”
Sheldon Carmichael
Information Security Architect
Sally Beauty saved even more time by replacing its syslog-ng and Logstash servers with redundant Cribl workers. The cutover was “quick and relatively painless,” according to Carmichael. “Compared to our syslog-ng and Logstash servers, Cribl pipelines are much more straightforward to manage, and they give me both GUI and command line access,” he says. He estimates that his team manages Cribl in one-quarter of the time they spent managing Logstash and syslog. “We don’t want our security engineers spending hours becoming wizards in Elastic, Logstash, and syslog-ng,” says Sheldon. “With Cribl, they don’t have to, which frees up more time for our real jobs — security. That’s Cribl’s biggest ROI.”
The redundant Cribl workers also make the data engine more resilient and easier to manage. The team performs rolling upgrades and maintenance on individual workers without interrupting the data flow.
Besides moving Endgame data into Elastic, Sally Beauty also uses Cribl to pull IT and Security data from sources that don’t have the capability to push, like their Network Detection and Response (NDR) solution and Microsoft Office365. “Before Cribl, to pull data from our NDR solution and O365, we had to run python scripts on separate servers acting as middleware to pull the data we wanted. That just adds to the systems and resources to maintain, along with everything else we have to manage manually vs in an automated fashion.” says Sheldon. “Cribl allowed us to collapse multiple functions and resources into a single solution with enterprise-grade support,” said Sheldon. This resilience, time savings, and flexibility is what ultimately persuaded Sheldon’s leadership to invest in Cribl.
Now Sheldon is planning to use Cribl to modify the Endgame dataset to emulate Elastic Agent data streams. “By doing this we can take advantage of Elastic’s hundreds of built-in detections, and add custom exclusions that persist when Elastic updates its rules, without having to modify each rule every time there’s an upgrade,” he says. The potential time savings are huge. Today the team has to clone the built-in detection rules, modify the observed indices in the rule to include Endgame, and add custom exceptions to tune the rules to Sally Beauty’s environment.
By using Elastic’s built-in detections and the modified data stream from Cribl, Sheldon expects to save significant time supporting upgrades, and to strengthen the company’s security footprint by using more properly tuned and updated detection rules. “A future version of Elastic might give me that capability,” he says. “But the fact that I can do it today with Cribl is pretty awesome, and allows me to apply the same functions to any other observability data we bring into our pipeline.”
Next up for Sally Beauty? Using Cribl to enrich the Endgame stream — for example, by mapping IP addresses to the device’s location (geo-IP) and incorporating threat intelligence. Wrapping up, Sheldon says, “We’ve seen big benefits from Cribl, and I’m a fan. If anyone reading this comes to a Cribl meetup, look me up if you want to talk nerdy.”
“Our CISO knows the value of NDR and O365 observability data for security, and he also understood it was a huge pain for our team to search and parse the data. With Cribl, the world is our oyster when it comes to search.”
Sheldon Carmichael
Information Security Architect
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?