Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

v2.2.1 Release

about a year ago by Michael Katz
  • Improvement: CRIBL-2438 Added support for outputting Collectors > Discovery results to Routes as event per file.

  • Improvement: CRIBL-2831 Added Discovery completion indicator in Job Stats.

  • Improvement: CRIBL-2923 Added file-size indicator to Discovery Jobs.

  • Improvement: CRIBL-2926 Added support for recognizing non-numeric timezone offsets.

  • Improvement: CRIBL-2943 Added license notification display in Group deploy.

  • Improvement: CRIBL-2998 Added API that enables a single token (and fields) to be added to an existing HEC input.

  • Improvement: CRIBL-2949 Added documentation on which Destinations support Persistent Queues and metrics.

  • Improvement: CRIBL-2988 Added documentation on Indexer Discovery.

  • Improvement: CRIBL-2989 Added documentation on proxy-server configuration.

  • Improvement: CRIBL-3007 Added documentation on CPU and memory requirements for the Master.

  • Improvement: CRIBL-3045 Added documentation on running LogStream at boot.

  • Improvement: CRIBL-2250 Added Parser support for throwaway fields, whose names are formatted as: __<variablename>.

  • Improvement: CRIBL-1505 Added queue metrics to monitoring panels.

  • Improvement: CRIBL-2821 Added encryption of args.json (including AWS credentials) before writing to disk, with decryption on read.

  • Improvement: CRIBL-2969 Added support for maintaining source field from S3 Sources.

  • Fix: CRIBL-2495 Blocked editing of Job Collectors whose Collector ID begins with /.

  • Fix: CRIBL-2508 Corrected cribl boot-start enable behavior on systemd systems.

  • Fix: CRIBL-2595 Corrected API Docs for /jobs/:id/results/:group?.

  • Fix: CRIBL-2714 Enabled saving of empty Event Breaker rulesets.

  • Fix: CRIBL-2769 Hid Master's hostname in Master > Worker Groups > $Group > Settings > Licensing.

  • Fix: CRIBL-2778 Improved TaskManifest read/write/update design.

  • Fix: CRIBL-2779 Improved retrieval of Job metrics.

  • Fix: CRIBL-2809 Addressed no handler error when upgrading in-product from 2.1.3 to 2.1.4.

  • Fix: CRIBL-2810 Added redirect to Routes page upon attempting to view Worker Nodes > Jobs from Master.

  • Fix: CRIBL-2827 Corrected switching from dark to light mode.

  • Fix: CRIBL-2857 Clarified Elasticsearch Destination as Elasticsearch API.

  • Fix: CRIBL-2879 Hid s3fs Destination partition expression after removal.

  • Fix: CRIBL-2889 Provided graceful error message when specifying Job Collector path to file name instead of directory.

  • Fix: CRIBL-2891 Corrected Monitoring dashboard's search and filtering behavior.

  • Fix: CRIBL-2896 Corrected default CloudTrail Event Breaker's event display with custom Filters.

  • Fix: CRIBL-2899 Enabled sorting by clicking Discovery > List of files column header.

  • Fix: CRIBL-2901 Updated AWS iconography on Sources and Destinations.

  • Fix: CRIBL-2904 Moved Collectors > Region field right under S3 Bucket field.

  • Fix: CRIBL-2909 Updated naming of Jobs components/classes for better readability.

  • Fix: CRIBL-2912 Corrected filters' application to Script Collector > Discover results.

  • Fix: CRIBL-2917 Corrected Job Stats' display of event processing chart for running and recently completed Jobs.

  • Fix: CRIBL-2920 Corrected hiding of extra Run buttons when Collectors > Actions column is hidden.

  • Fix: CRIBL-2924 Removed Throttling field from Distributed Settings > Worker Mode display.

  • Fix: CRIBL-2940 Corrected partial Eval expressions for scripts.

  • Fix: CRIBL-2942 Prevented saving multiple copies of same Sample file during ongoing live capture.

  • Fix: CRIBL-2946 Corrected File Header Event Breaker to properly hide null-valued fields in Sample Preview mode.

  • Fix: CRIBL-2955 Corrected JSON Array Event Breaker's handling of CloudTrail events.

  • Fix: CRIBL-2960 Correct Collectors page's availability after deleting a full-run Job.

  • Fix: CRIBL-2961 Documented LogStream's browser compatibility.

  • Fix: CRIBL-2963 Added TLS v.1.3 to General Settings page's Minimum TLS version and Maximum TLS version min and max drop-downs.

  • Fix: CRIBL-2968 Corrected File Header Event Breaker's improper merging of events and fields.

  • Fix: CRIBL-2975 Corrected cases where connect() hung.

  • Fix: CRIBL-2985 Corrected Monitoring status display for "nested" Sources (e.g., syslog:tcp).

  • Fix: CRIBL-2991 Corrected e.replace is not a function errors when message fields contain non-alphabetic characters..

  • Fix: CRIBL-3016 Corrected Master's false indicators that active Worker Groups were down.

  • Fix: CRIBL-3022 Updated Encryption Use Case docs.

  • Fix: CRIBL-3027 Addressed Syslog Source issue in recognizing timestamps with tz of the form XX:XX.

  • Fix: CRIBL-3041 Addressed gaps in Persistent Queues data by scaling timeout interval proportionally to maximum file size.

  • Fix: CRIBL-3042 Corrected empty Monitoring > Destinations > Live > Test page on Distributed deployments.

  • Fix: CRIBL-3059 Corrected an issue where not all events matching a specifc Route were processed by the Route.

  • Fix: CRIBL-3099 Clarified Numerify documentation about fields to ignore.

  • Fix: CRIBL-3107 Removed misleading Queue Size indicator from Distributed mode > Master view > metrics dashboard.

  • Fix: CRIBL-2953 Corrected responses when trying to assign Splunk HEC tokens via API on Master.

  • Fix: CRIBL-3109 Resolved error response to Add HEC Token API call, when running in Distributed mode.

  • Fix: CRIBL-3018 Devised workaround for indexer discovery with TLS.

  • Fix: CRIBL-3118 Corrected Select All/Deselect All interactions with filters: these actions now affect only visible items.

  • Fix: CRIBL-3119 Corrected SSO/OIDC authentication allowlists to ignore case.