Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides

TCP JSON

Cribl supports sending of data over TCP in JSON format. TCP JSON is a streaming destination type.

Configuring Cribl to output in TCP JSON format


While on Destinations screen, select TCP JSON from the vertical menu, then click Add New:

  • Output Id: Enter a unique name to identify this destination definition.
  • Conditioning Pipeline: Pipeline to process data before sending it out using this output.
  • Host: Hostname of the receiver.
  • Port: Port number.
  • Auth Token: Optional authentication token to include as part of the connection header. Defaults to empty.
  • Backpressure Behavior: Whether to block or drop events when all receivers in this group are exerting backpressure. Defaults to Block.

TLS Settings (client side)

  • Disabled defaults to Yes. When toggled to No:
    • Validate Server Certs: Require client to reject connections to servers whose certs are not signed by one of the supplied CAs. Defaults to No.
    • Server Name (SNI): Server Name Indication.
    • CA Certificate Path : Path on client where to find CA certificates to use to verify the server's cert in PEM format. Path can reference $ENV_VARS.
    • Private Key Path (mutual auth): Path on client where to find the private key to use in PEM format. Path can reference $ENV_VARS. Use only if mutual auth is required.
    • Certificate Path (mutual auth) : Path on client where to find certificates to use in PEM format. Path can reference $ENV_VARS. Use only if mutual auth is required.

Then, click Save

Format


At the time of this writing, TCP JSON events are sent in new line delimited JSON format:

  1. A header line. Can be empty. E.g. {}. If Auth Token is enabled it will be included here as a field called authToken. In addition, if events contain common fields they will be included here under fields.
  2. A JSON event/record per line.

See an example here.