TCP (Raw)
Cribl Stream supports receiving of data over TCP. (See examples and header options below.)
Type: Push | TLS Support: YES | Event Breaker Support: YES
Configuring Cribl Stream to Receive TCP Data
From the top nav, click Manage, then select a Worker Group to configure. Next, you have two options:
To configure via the graphical QuickConnect UI, click Routing > QuickConnect (Stream) or Collect (Edge). Next, click Add Source at left. From the resulting drawer’s tiles, select [Push > ] TCP. Next, click either Add Destination or (if displayed) Select Existing. The resulting drawer will provide the options below.
Or, to configure via the Routing UI, click Data > Sources (Stream) or More > Sources (Edge). From the resulting page’s tiles or left nav, select [Push > ] TCP. Next, click New Source to open a New Source modal that provides the options below.
Cribl Stream ships with a TCP Source preconfigured to listen on Port 10060. You can clone or directly modify this Source to further configure it, and then enable it.
General Settings
Input ID: Enter a unique name to identify this TCP Source definition. If you clone this Source, Cribl Stream will add -CLONE to the original Input ID.
Address: Enter hostname/IP to listen for raw TCP data. E.g., localhost or 0.0.0.0.
Port: Enter port number.
Enable Header: Toggle to Yes to indicate that client will pass a header record with every new connection. The header can contain an authToken, and an object with a list of fields and values to add to every event. These fields can be used to simplify Event Breaker selection, routing, etc. Header format:
{ "authToken" : "myToken", "fields": { "field1": "value1", "field2": "value2" }}.
- Shared secret (authToken): Shared secret to be provided by any client (in
authTokenheader field). Click Generate to create a new secret. If empty, unauthenticated access will be permitted.
Optional Settings
Tags: Optionally, add tags that you can use to filter and group Sources in Cribl Stream’s Manage Sources page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
TLS Settings (Server Side)
Enabled defaults to No. When toggled to Yes:
Certificate name: Name of the predefined certificate.
Private key path: Server path containing the private key (in PEM format) to use. Path can reference $ENV_VARS.
Passphrase: Passphrase to use to decrypt private key.
Certificate path: Server path containing certificates (in PEM format) to use. Path can reference $ENV_VARS.
CA certificate path: Server path containing CA certificates (in PEM format) to use. Path can reference $ENV_VARS.
Authenticate client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to No. When toggled to Yes:
Validate client certs: Reject certificates that are not authorized by a CA in the CA certificate path, or by another trusted CA (e.g., the system’s CA). Defaults to
Yes.Common Name: Regex that a peer certificate’s subject attribute must match in order to connect. Defaults to
.*. Matches on the substring afterCN=. As needed, escape regex tokens to match literal characters. (For example, to match the subjectCN=worker.cribl.local, you would enter:worker\.cribl\.local.) If the subject attribute contains Subject Alternative Name (SAN) entries, the Source will check the regex against all of those but ignore the Common Name (CN) entry (if any). If the certificate has no SAN extension, the Source will check the regex against the single name in the CN.
Minimum TLS version: Optionally, select the minimum TLS version to accept from connections.
Maximum TLS version: Optionally, select the maximum TLS version to accept from connections.
Persistent Queue Settings
In this section, you can optionally specify persistent queue storage, using the following controls. This will buffer and preserve incoming events when a downstream Destination is down, or exhibiting backpressure.
On Cribl-managed Cribl.Cloud Workers (with an Enterprise plan), this tab exposes only the Enable Persistent Queue toggle. If enabled, PQ is automatically configured in
Always Onmode, with a maximum queue size of 1 GB disk space allocated per PQ‑enabled Source, per Worker Process.The 1 GB limit is on uncompressed inbound data, and no compression is applied to the queue. This limit is not configurable. For configurable queue size, compression, mode, and other options below, use a hybrid Group.
Enable Persistent Queue: Defaults to No. When toggled to Yes:
Mode: Select a condition for engaging persistent queues.
Always On: This default option will always write events to the persistent queue, before forwarding them to Cribl Stream’s data processing engine.Smart: This option will engage PQ only when the Source detects backpressure from Cribl Stream’s data processing engine.
Max buffer size: The maximum number of events to hold in memory before reporting backpressure to the sender and writing the queue to disk. Defaults to 1000. (This buffer is per connection, not just per Worker Process – and this can dramatically expand memory usage.)
Commit frequency: The number of events to send downstream before committing that Stream has read them. Defaults to 42.
Max file size: The maximum data volume to store in each queue file before closing it and (optionally) applying the configured Compression. Enter a numeral with units of KB, MB, etc. If not specified, Cribl Stream applies the default 1 MB.
Max queue size: The maximum amount of disk space that the queue is allowed to consume on each Worker Process. Once this limit is reached, this Source will stop queueing data and block incoming data. Required, and defaults to 5 GB. Accepts positive numbers with units of KB, MB, GB, etc. Can be set as high as 1 TB, unless you’ve configured a different Max PQ size per Worker Process in Group Settings.
Queue file path: The location for the persistent queue files. Defaults to $CRIBL_HOME/state/queues. To this field’s specified path, Cribl Stream will append /<worker-id>/inputs/<input-id>.
Compression: Optional codec to compress the persisted data after a file is closed. Defaults to None; Gzip is also available.
In Cribl Stream 4.1 and later, Source-side PQ’s default Mode is
Always on, to best ensure events’ delivery. For details on optimizing this selection, see Always On versus Smart Mode.You can optimize Workers’ startup connections and CPU load at Group Settings > Worker Processes.
Processing Settings
Custom Command
In this section, you can pass the data from this input to an external command for processing before the data continues downstream.
Enabled: Defaults to No. When toggled to Yes:
Command: Enter the command that will consume the data (via stdin) and will process its output (via stdout).
Arguments: Click Add Argument to add each argument for the command. You can drag arguments vertically to resequence them.
Event Breakers
Event Breaker rulesets: A list of event breaking rulesets that will be applied to the input data stream before the data is sent through the Routes. Defaults to System Default Rule.
Event Breaker buffer timeout: How long (in milliseconds) the Event Breaker will wait for new data to be sent to a specific channel, before flushing out the data stream, as-is, to the Routes. Minimum 10 ms, default 10000 (10 sec), maxiumum 43200000 (12 hours).
Fields
In this section, you can add Fields to each event using Eval-like functionality.
- Name: Field name.
- Value: JavaScript expression to compute field’s value, enclosed in quotes or backticks. (Can evaluate to a constant.)
Pre-Processing
In this section’s Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.
Advanced Settings
Enable Proxy Protocol: Toggle to Yes if the connection is proxied by a device that supports Proxy Protocol v1 or v2. When this setting is enabled, the __srcIpPort internal field will show the original source IP address and port. When it is disabled, the __srcIpPort field will show the IP address and port of the proxy that forwarded the connection.
IP allowlist regex: Regex matching IP addresses that are allowed to establish a connection. Defaults to .* (i.e,. all IPs).
Max active connections: Maximum number of active connections allowed per Worker Process. Defaults to 1000. Set a lower value if connection storms are causing the Source to hang. Set 0 for unlimited connections.
Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.
Connected Destinations
Select Send to Routes to enable conditional routing, filtering, and cloning of this Source’s data via the Routing table.
Select QuickConnect to send this Source’s data to one or more Destinations via independent, direct connections.
Internal Fields
Cribl Stream uses a set of internal fields to assist in handling of data. These “meta” fields are not part of an event, but they are accessible, and functions can use them to make processing decisions.
Fields accessible for this Source:
__inputId__srcIpPort__channel
TCP Source Examples
Every new TCP connection may contain an optional header line, with an authToken and a list of fields and values to add to every event. To use the Cribl Stream Cloud sample, copy the <token_value> out of your Cribl Stream Cloud TCP Source.
{"authToken":"myToken42", "fields": {"region": "us-east-1", "AZ":"az1"}}
this is event number 1
this is event number 2 {"authToken":"<token_value>", "fields": {"region": "us-east-1", "AZ":"az1"}}
this is event number 1
this is event number 2Enabling the Example – Cribl Stream
- Configure Cribl Stream to listen on port
7777for raw TCP. SetauthTokentomyToken42. - Create a file called
test.raw, with the payload above. - Send it over to your Cribl Stream host, using this command:
cat test.raw | nc <myCriblHost> 7777
Enabling the Example – Cribl.Cloud
Use netcat with --ssl and --ssl-verify:
cat test.raw | nc --ssl --ssl-verify default.main-<Your-Org-ID>.cribl.cloud 10060With a Cribl.Cloud Enterprise plan, generalize the above URL’s
default.mainsubstring to<group-name>.mainwhen sending to other Worker Groups.