Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF

    Documentation

Before Deploying

Deployment Options


There are two deployment options for Cribl; standalone or as a Splunk app. Your exact choice will depend on your requirements. Both packages are available for download here.

Requirements and Supported Platforms

  • OS:
    • Linux: RedHat, CentOS, Ubuntu, AWS Linux, Suse (64bit)
    • macOS 10.13 and 10.14
  • System:

Recommended AWS Instance Types
c5d.2xl or higher (8vCPUs, 16GB RAM, 200GiB NVMe SSD)
c5.2xl or higher (8vCPUs, 16GB RAM, EBS)
c3.2xl or higher (8vCPUs, 15GB RAM, 2x160GiB SSD)

(the higher the CPU clock, the better)

As of v1.7 Node is no longer a runtime dependency.

Network Ports

*Cribl needs these ports to be available by default:

  • Cribl UI. Default: 9000 (both options)
  • Cribl HTTP In. Default: 10080 (Standalone)
  • Splunk to Cribl data port. Default: localhost:10000 (Cribl App for Splunk)
  • | criblstream Splunk search command to Cribl. Default: localhost:10420 (Cribl App for Splunk)

Overriding Default Ports

The above ports can be overridden in the following configuration files:

  • Cribl UI port (9000): Default definitions for host, port and other settings are set in $CRIBL_HOME/default/cribl/cribl.yml and can be overridden by defining alternatives in $CRIBL_HOME/local/cribl/cribl.yml.

  • Data Ports: HTTP In (10080), TCPJSON in (10420) Splunk to Cribl (10000) : Default definitions for host, port and other settings are set in $CRIBL_HOME/default/cribl/inputs.yml and can be overridden by defining alternatives in $CRIBL_HOME/local/cribl/inputs.yml.
    Note: For Splunk to Cribl the corresponding server attribute in [tcpout:cribl] defined by default in default/outputs.conf, on Splunk side, can be overridden by re-defining it in local/outputs.conf (Splunk conf file precedence applies - local overrides default).

[tcpout:cribl]
server=127.0.0.1:<myPort>

Security Considerations


At the time of this writing:

  • With the Cribl App for Splunk package, data flow from Splunk to Cribl is confined to localhost:10000 and/or localhost:10420
  • With the Cribl App for Splunk package, the UI/API port 9000 can be authenticated either locally or against Splunk's admin role.

Before Deploying


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.