Cribl LogStream – Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.2.0

    Docs Home


Cribl LogStream supports receiving of data over syslog.


Type: Push | TLS Support: YES

Configuring Cribl LogStream to Receive Data over Syslog

While on the Sources screen, select Syslog from the left menu, then click Add New. The resulting New Syslog source pane provides the following fields.

Source Settings

Input ID: Enter a unique name to identify this Syslog source definition.

Address: Enter the hostname/IP on which to listen for data., E.g. localhost or

UDP port: Enter the UDP port number to listen on. Not required if listening on TCP.

TCP port: Enter the TCP port number to listen on. Not required if listening on UDP.

TLS Settings (TCP Only)

Enabled: Defaults to No. When toggled to Yes:

Certificate name: The name of the predefined certificate.

Private key path: Server path containing the private key (in PEM format) to use. Path can reference $ENV_VARS.

Passphrase: Passphrase to use to decrypt private key.

Certificate path : Server path containing certificates in (PEM format) to use. Path can reference $ENV_VARS.

CA certificate path : Server path containing CA certificates (in PEM format) to use. Path can reference $ENV_VARS.

Authenticate client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to No. When toggled to Yes:

  • Common name: Regex matching peer certificate subject common names allowed to connect. Defaults to .*.

Validate client certs: Require server to reject any connection that is not authorized with the list of supplied CAs. Defaults to No.

Advanced Settings

Enable proxy protocol: Defaults to No. Toggle to Yes if the connection is proxied by a device that supports Proxy Protocol V1 or V2.

IP whitelist regex: Regex matching IP addresses that are allowed to send data. Defaults to .* (i.e., all IPs).

Max buffer size (events) : Maximum number of events to buffer when downstream is blocking. The buffer is only in memory. This setting is only applicable for UDP syslog. The number of events in the buffer can be viewed by clicking the Live button on the Manage Syslog source page then viewing the Status tab.

Default timezone: Timezone to assign to timestamps without timezone info. Defaults to local.

Single msg per UDP: Whether to treat UDP packet data received as a full Syslog message. Defaults to No. (I.e., newlines in the packet will be treated as event delimiters.)

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event, using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).

Conditioning Pipeline

In this section's drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Internal Fields

Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but are accessible and Functions can use them to make processing decisions.

Field(s) for this source:

  • __inputId
  • __srcIpPort

Updated 4 days ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.