Highlights
Reduced SIEM ingestion volume by 30–35%, enabling more efficient licensing.
Streamlined onboarding of new log sources from weeks to a few hours.
Gained complete visibility into log flow and data health.
Preserved operational continuity during migration to CrowdStrike Next-Gen SIEM.
Added archive and replay capabilities, reducing storage costs and meeting retention goals.
One of the nation’s top convention and sports venues, Events DC operates a sprawling IT and security environment. With thousands of endpoints, a hybrid cloud infrastructure, and a rapidly expanding security footprint, the team faced a common but critical challenge: modernizing log management while keeping expenses under control. After a ransomware incident in late 2022, Events DC realized it needed better visibility and more flexibility across its security operations.
Through its trusted managed service partner True Zero Technologies, Events DC discovered Cribl. Cribl is a part of True Zero’s Actionable Intelligence Operations offering. With True Zero and Cribl, Events DC was able to break free from a cumbersome log management setup that was straining budgets and slowing innovation.
Reducing costs while maintaining visibility
Before Cribl, log data was scattered across multiple syslog servers and legacy forwarders. Ingesting this data into their Security Information and Event Management (SIEM) tool was expensive and cumbersome. Every additional gigabyte came with a hefty price tag.
Cribl Stream changed that. By implementing Stream in Cribl.Cloud as a central data pipeline, Events DC could now filter and optimize logs before they ever reached the SIEM. They used Cribl Packs for Palo Alto and Zscaler, along with a custom Packetbeat pack, trimming data volume by as much as 60% in some cases.
They also removed low-value or redundant fields, ensuring only the essential telemetry reached the SIEM. This reduction translated into a 30 to 35% decrease in license requirements for their SIEM, without compromising the quality of security monitoring.
“We have cut costs and can focus on the logs that actually matter. We’re not guessing anymore; we know exactly what’s flowing into the system.”
Zack Schwartz
CIO at Events DC
Events DC also accomplished cost savings by routing certain logs to file storage. Using this approach, Events DC built archive and replay capabilities. Logs could be kept for compliance and replayed on demand for audits or troubleshooting. This cut the volume sent to the SIEM, lowering storage costs while maintaining access to historical data.
“Cribl gave us the tools to store data smartly and replay it when we need to. That keeps our SIEM lean and our costs down.”
Zack Schwartz
CIO at Events DC
Faster data onboarding and easy SIEM migrations
Onboarding new data was streamlined. Cribl Stream allowed Events DC to set up pipelines using log samples, prepare routes in advance, and test changes without touching production data. What used to take weeks, now only takes a few hours.
When Events DC decided to migrate SIEMs, as part of their modernization initiative, Cribl Stream was critical. Migrating SIEMs could have been painful because configuring dual feeds at each source was time-consuming, required environment changes, and deep technical knowledge.
Cribl’s routing flexibility ensured side-by-side SIEM evaluations could happen without disruption and Events DC selected Crowdstrike Next-Gen SIEM. Legacy systems continued receiving data while CrowdStrike Next-Gen SIEM got a mirrored stream during the migration project. The result: zero downtime, complete operational continuity, and a controlled migration.
With the ease of Cribl Stream, the team was able to migrate SIEMs and still onboard new feeds. Third-party audit logs, for example, were onboarded in parallel with the migration as if they were part of the original plan.
“Before Cribl, adding a new source was a weeklong project. Now we can onboard a new feed in an afternoon.”
Zack Schwartz
CIO at Events DC
Better data visibility with simpler management
One of Cribl’s most significant advantages is its ease of use and reduced overhead. Events DC was able to deploy Stream rapidly. The team was able to move away from heavy forwarders and legacy SIEM inputs. The intuitive interface, combined with reusable pipelines and out-of-the-box packs, meant the team could focus on operational improvements rather than fighting infrastructure.
This speed also translated to testing new pipelines safely. Events DC could experiment with formats, routing, and filtering in isolated sandboxes, gaining confidence before applying changes to production.
“It’s straightforward. We didn’t need outside help to get Cribl running, and we could immediately focus on making the system better.”
Zack Schwartz
CIO at Events DC
Now, with all logs centralized through Cribl Stream, Events DC has previously unimaginable visibility into data flow. Internal metrics and live capture features allowed engineers to see precisely which logs were received, how they were processed, and where they were sent.
This observability created confidence. Teams could verify that all logs were tagged correctly and enriched consistently before reaching the SIEM. While Events DC isn’t performing enrichment yet, the groundwork is in place for future initiatives.
“Now we can watch our logs move in real time and know that they’re correct before they even hit the SIEM. That visibility is huge.”
Zack Schwartz
CIO at Events DC
Preparing for the future
With Cribl Stream in place, Events DC is positioned for future growth. They now have a single, centralized point of control for all observability data. Adding new sources, scaling storage, or integrating with future security tools will be seamless.
The combination of Cribl Cloud, Stream, and True Zero Technologies’ Actionable Intelligence Operations (AIO) managed service allows the organization to remain agile, reduce vendor lock-in, and pivot quickly if operational needs change.
“Cribl gives us flexibility. We’re no longer trapped by a vendor or technology. We can innovate faster and smarter.”
Zack Schwartz
CIO at Events DC
TL;DR
Events DC faced costly, fragmented log management and a ransomware-induced urgency to modernize.
Cribl Stream centralized logs, reduced SIEM ingestion by 30 to 35%, and preserved operational continuity during a migration to CrowdStrike Next-Gen SIEM.
Onboarding new sources dropped from weeks to hours. Real-time visibility and side-by-side pipeline comparisons improved confidence and data quality.
Archive and replay capabilities reduced infrastructure overhead and maintained compliance.
Deployment was rapid and intuitive, allowing the team to focus on operational improvement rather than troubleshooting.
With Cribl Cloud and True Zero’s support, Events DC now operates with flexibility, insight, and cost efficiency, and is well-prepared for whatever comes next.
About Events DC
Events DC is the premier host of conventions, sports, entertainment, and cultural events in the nation’s capital. Events DC owns and operates 12 venues, including the Walter E. Washington Convention Center, Nationals Park, the Entertainment & Sports Arena, and the historic Carnegie Library. As the official convention and sports authority for Washington, DC, we create experiences that engage, excite and entertain visitors from around the world and benefit our local economy and community.