Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

v.2.4.4 Release

6 months ago by Michael Katz

2021-03-30 – Cribl LogStream 2.4.4 – Maintenance Release

New Features

This release provides the following improvements:

New and Enhanced Sources and Destinations

CRIBL-1875 LogStream now has a native Source for Azure Blob Storage data.

CRIBL-4735 LogStream now has a native Prometheus Destination.

CRIBL-2705 A new Webhook Destination supports generic HTTP outputs.

CRIBL-4481 The S3 Destination now supports specifying an S3 KMS Key ID.

CRIBL-4707 An Output Router can now be assigned as the Default Destination, with error-checking for circular references.

CRIBL-4097 Sources' and Destinations' initialization and validation is now consistent across single-instance versus distributed environments.

Enhanced Collectors

CRIBL-3710 The Filesystem/NFS and S3 Collectors now support path extractors, which enable template tokens to feed expressions that enrich discovery results.

CRIBL-3239 The REST Collector now automatically stringifies the GET method > Collect parameters values.

Security and Administration Improvements

CRIBL-2938 To prevent lockouts, LogStream users can now fall back to local authentication when external authentication providers are misconfigured, or when users' authentication fails on a properly configured external identity provider.

CRIBL-4551 To help triage network performance issues, diag bundles now include the output of sysctl ‑A and netstat ‑S operations.

Version-Management Improvements (Beta Features)

CRIBL-1502 The Master Node can now upgrade Worker Nodes to a matching LogStream version.

CRIBL-4409 You can now upgrade a subset (percentage) of Worker Nodes at Settings > System > Controls.

CRIBL-4730, CRIBL-4781 Added UI for the above rolling/partial upgrades, with a Beta flag.

Better Git Integration

CRIBL-2160 Monitoring > Logs > Audit now includes git log data about actions including specific files added, modified, or removed.

Metrics Improvements

CRIBL-4607 LogStream now sends out system metrics on CPU percentage usage (system.cpu_perc) and RAM usage (system.mem_rss) alongside other Worker metrics.

CRIBL-4550 To monitor Persistent Queue sizes under backpressure, logs' _raw stats entries now include a pqTotalBytes metric that sums all PQs' sizes.


This release includes the following fixes:

Startup and Communication Fixes

CRIBL-4651 To ensure LogStream restarts, users are now blocked from removing a CA certificate (.pem) file that is in use.

CRIBL-4667 Corrected the connections quota for Master <‑> Worker communications from 1000 to infinite.

CRIBL-4659 Corrected a bug where enabling mTLS broke the ability to deploy to Workers.

Security and Authentication Fixes

CRIBL-4676 Corrected the GUI's failure to locate valid certificate .key files specified using environment variables.

CRIBL-4657 Copy buttons have been removed from encrypted fields.

CRIBL-4780 The Cribl/LogStream App for Splunk now properly applies Roles, and enables admin password changes via the UI.

Source, Destinations, and Collectors Fixes

CRIBL-4426 AWS Sources now support the US Gov East 1 Region.

CRIBL-4167 In the Syslog Source, corrected the Address field's triplicated error message. It's fixed. Really OK now.

CRIBL-4828 From the AppScope Source, corrected all metric fields to dimensions.

CRIBL-4786 Corrected the AppScope Source's trapping of the incoming data field.

CRIBL-4348 Corrected the S3 Source's erroneous configuration warning about a colon in the Queue field.

CRIBL-4332 The S3 and SQS Sources and Destinations pages' tooltips have been updated for clarity.

CRIBL-4685 The SQS Source and Destination modals now provide the missing Queue type field.

CRIBL-4764 On the Azure Event Hubs Destination, removed a Compression option unsupported by Azure.

CRIBL-4773 On the Azure Monitor Logs Destination, corrected an "Attempted to flush previously flushed buffer" error due to invalid buffer tokens.

CRIBL-4554 On Destinations' Status tab, restored the column heading for error messages.

CRIBL-4630 Corrected a Splunk Load Balanced Destination bug where the status page incorrectly displayed a 404 status ("This destination is presently experiencing problems...") for Workers restarting.

CRIBL-4529 Corrected the Splunk Load Balanced Destination's high CPU utilization and rapid memory leak (last-failed-buffer loop) when backpressure blocked incoming data.

CRIBL-4712 Corrected the Syslog Destination's leaking of Persistent Queues metadata into events when it prematurely closes connections.

CRIBL-4652 Corrected Persistent Queues' failure to fully drain.

CRIBL-4574 Corrected REST Collector's failure to redact headers.

CRIBL-4625 The S3 Collector now provides UI options to reuse connections, and to allow self-signed certs.

CRIBL-4783 Restored Collectors' missing Save & Run button.

CRIBL-4654 Corrected Collectors' redundant re‑encryption of encrypted attributes on every save.

Functions Fixes

CRIBL-4595 Corrected the Tee Function's hanging of LogStream's backend.

CRIBL-4575 Corrected uncaughtException:...spawn python3 ENOENT error upon configuring the Tee Function to run a command that is invalid on the host machine.

CRIBL-4724 Corrected copy/paste of List of Fields between Parser Functions.

CRIBL-4706 Corrected the Prometheus Publisher (beta) Function's treatment of metrics.

CRIBL-4653 Corrected the Rename Function's failure to rename numeric fields.

CRIBL-4602 Corrected Functions' inconsistent support of typeahead/autocomplete.

Git Integration Fixes

CRIBL-4755 Corrected Git revert failures.

CRIBL-4627 For Git remote repos, relaxed the validation regex in order to match more valid URLs.

CRIBL-4601 Added git.key to .gitignore, to prevent secrets from being pushed to remote repos.

CRIBL-3774 Corrected Git Commit Changes modal's hang after uploading large files.

CRIBL-4635 Restored Git Commit & Deploy behavior with Collapse Actions enabled.

CRIBL-4628 After undoing/reverting commits, corrected errors displayed upon refreshing UI before server was fully restarted.

Data Preview and Monitoring Fixes

CRIBL-4542 Added collection jobs to Monitoring > Sources page.

CRIBL-4572 Corrected "Not Found" error when clicking Output Router > Live > Configure tab.

CRIBL-4661 Zooming up Monitoring panels now inherits the time range specified on the base Monitoring page.

CRIBL-4639 In Filter Expression fields, corrected typeahead's duplication of content.

CRIBL-4631 Corrected Capture modals' failure to close upon saving sample files.

CRIBL-4598 Corrected mismatch where Sources' Live button was grayed out, yet triggered a capture.

Lookup Fixes

CRIBL-4777 Corrected broken Lookup creation via file upload.

CRIBL-3858 Trying to save a Pipeline with a path reference to a nonexistent Lookup file now triggers an error notification.

Other UX/UI Fixes

CRIBL-3839 Corrected UI's rendering of nested dependencies.

CRIBL-4609 Corrected cases where the Ctrl+Enter/Cmd+Enter key combination did not submit forms.

CRIBL-4629 Prevented the Enter key, with no modifier key, from submitting forms.

CRIBL-4164 Fixed sortable lists' column misalignment.

Documentation Fixes

CRIBL-4666 Azure Event Hubs Source and Destination docs now include connection-string details and examples.

CRIBL-4637 Kinesis Source and Destination docs now list IAM roles' required Actions.

CRIBL-4559 Added API docs for Functions, Collectors, and Executors.

CRIBL-2065 Corrected API docs' failure to properly reference nested interfaces in examples.

CRIBL-1202 Documented how to disable Intercom widget.

CRIBL-4644 Updated Splunk Destinations' docs to match the UI's new Advanced Settings field order.

CRIBL-4672 Updated Third‑Party Credits page to match current embedded versions.