On This Page

Home / Edge/ Integrations/ Collecting Data/ System·System State Source

System State Source

The System State Source collects snapshots of the host system’s current state, on a configurable schedule, and sends them out as events to downstream systems for operational and security analytics.

Type: System | TLS Support: N/A | Event Breaker Support: No

You can’t configure custom System State Sources.

This Source is available in Cribl.Cloud on customer-managed hybrid Workers, but not on Cribl-managed Workers in Cribl.Cloud. It is also available on Windows, but only for Cribl Edge.

Configure Cribl Edge to Collect System State Events

  1. On the top bar, select Products, and then select Cribl Edge. Under Fleets, select a Fleet. Next, you have two options:
    • To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Source and select the Source you want from the list, then choose Select Existing.
    • To configure via the Routes, select Data > Sources (Stream) or More > Sources (Edge). Select the Source you want.
  2. Select the default in_system_state to open the configuration modal.
  3. Configure the following under General Settings:
    • Enabled: Toggle on to enable the Source.
    • Input ID: This is prefilled with the default value in_system_state, which cannot be changed via the UI, due to the single‑Source restrictions above.
    • Description: Optionally, enter a description.
  4. Next, you can configure the following Optional Settings:
    • Polling interval: How often to collect metrics, in seconds. Defaults to 10. Each run of the state collector generates events with identical _time values.
    • Tags: Optionally, add tags that you can use to filter and group Sources in Cribl Edge’s UI. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
  5. Optionally, you can adjust the Collector, Processing, and Advanced settings, or Connected Destinations outlined in the sections below.
  6. Select Save, then Commit & Deploy.

Collector Settings

Cribl Edge contains the following System State collectors:

Host Info

With the Enabled toggle on (the default), Cribl Edge will create events based on entries collected from the hosts file.

A partial list of Host Info events includes:

  • host
  • hostOs (when Cribl Edge is running in a container)
  • timestamp
  • cribl.version
  • cribl.mode
  • cribl.group
  • cribl.config_version
  • os.arch
  • os.cpu_count

See the Explore > System State > Host Info UI for a full list of events.

The System State Source provides live system information, with most tabs updating periodically based on the Polling Interval configured in the Source. However, the data in the Host Info tab is collected once when the Source is started and does not update dynamically.

Disks and File Systems

With the Enabled toggle on (the default), Cribl Edge will collect entries on physical disks, partitions, and mounted filesystems. These entries can help you monitor drive status, including available space, percent utilization, inode availability, wait times, and number of blocks free.

On Cribl Edge, this option is available for Windows and Linux. You must create a different Fleet for each OS. For details see, Mapping Edge Nodes to Fleets.

For each physical disk, Cribl Edge will collect:

  • name
  • size (in blocks)
  • blockSize (in bytes)
  • model
  • serial
  • firmware
  • partitions (count)
  • interface type

For each partition on a physical disk, Cribl Edge will collect:

  • disk (name)
  • disk ID (number)
  • type (primary or logical)
  • label
  • offset
  • size (in blocks)
  • blockSize (in bytes)
  • filesystem (mount point)

For each mounted filesystem, Cribl Edge will collect:

  • mount point (path)
  • disk (name)
  • partition (ID)
  • filesystem type
  • size (in blocks)
  • blockSize (in bytes)
  • blocksFree
  • inodes
  • inodesFree
  • flags

Mount point refers to the directory where a filesystem is currently mounted. This information reflects the active filesystems, not entries in the /etc/fstab file.

DNS

With the Enabled toggle on (the default), Cribl Edge will create events for DNS resolvers and search entries. The event field mapping depends on the operating system.

Linux

Cribl Edge emits events with the following fields:

Event FieldDescription
nameServerName server entries from the file.
searchSearch entries from the file.
sourceThe source of the data used to populate the event.
Windows (Cribl Edge Only)

Cribl Edge on Windows emits events with the following fields:

Event FieldDescription
ifAliasInterface alias name (if present).
ifIndexInterface index (if present).
addressFamilyIPv4 or IPv6.
nameServerArray of name servers.
searchArray of search suffixes .
sourceThe source of the data used to populate the event.
dnsClientReports MSFT_DnsClient when the native WMI method is used (default). Reports Get-DnsClient when the Use Windows Tools toggle is enabled in Advanced Settings.

Hosts File

With the Enabled toggle on (the default), Cribl Edge will collect entries from the hosts file and emit them as events.

Examples of entries in the hosts file are:

  • ip: IP address of the host.
  • hostnames: list of hostnames per IP address.

Firewall

With the Enabled toggle on (the default), Cribl Edge will collect events from host’s defined firewall rules.

Chain Policy/References Rule(s) Event Fields

Cribl Edge emits events with the following fields:

  • chain: Name.
  • policy: Policy name.
  • pkts: Total bytes packets processed by the chain.
  • bytes: Total bytes processed by the chain.
  • references: Number of chains referencing the current chain.
Chain Rule(s) Event Fields

Cribl Edge emits events with the following fields:

  • chain: Name.
  • num: Rule sequence number.
  • pkts: Number of matched messages processed.
  • bytes: Cumulative packet size processed (bytes).
  • target: If the message matches the rule, the specified target is executed.
  • prot: The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6, esp, ah, sctp, mh, or the special keyword all.
  • opt: Rarely used, this column is used to display IP options.
  • in: Inbound network interface.
  • out: Outbound network interface.
  • src: The source IP address or subnet of the traffic, the latter being anywhere.
  • dest: The destination IP address or subnet of the traffic, or anywhere.
  • match: ctstate, state, ADDRTYPE info added to a state field.
  • comment: Comment defined on the rule.
  • prot_family: IPv4 or IPv6.
Windows (Cribl Edge Only)

On Cribl Edge Windows, this collector emits events with the following fields:

  • ruleName: Rule Name.
  • displayName: Display Name.
  • direction: Specifies which direction of traffic to match with this rule. The acceptable values for this parameter are Inbound or Outbound.
  • enabled: True or False.
  • action: Specifies the action to take on traffic that matches this rule. The acceptable values for this parameter are Allow or Block.
  • group: Specifies the rule group (if applicable).
  • icmpType: Specifies the ICMP type used.
  • policyStoreSource: Contains a path to the policy store where the rule originated.
  • profile: Profile conditions associated with a rule.
  • protocol: protocols associated with firewall and IPsec rules.
  • localPort: Rules for local-only port mapping.
  • remotePort: Rules for remote port mapping.

Interfaces

With the Enabled toggle on (the default), Cribl Edge will create events for each of the host’s network interfaces.

Cribl Edge will create separate events for each entry. All events will have identical timestamp values.

Linux IPV4/IPV6

On Linux, Cribl Edge creates interface events with the following fields:

  • ifIndex: Interface index identification numbers.
  • ifName: The name of the network interface.
  • flags: Flags.
  • mtu: Maximum transmission unit (MTU) in bytes for packets sent on this interface.
  • operstate: Operational State.
  • linkType: Physical link type.
  • macAddress: Media Access Control address.
  • broadcast Broadcast address.
  • addrInfo: Array of {family, ipAddress, mask, prefix}.
Windows (Cribl Edge Only): IPV4/IPV6

On Windows, Cribl Edge creates interface events with the following fields:

  • ifIndex: Interface index identification numbers.
  • interface: The name of the network interface.
  • mtu: Maximum transmission unit (MTU) in bytes for packets sent on this interface.
  • flags: Flags.
  • macAddress: Media Access Control address.
  • addrInfo: Array of {family, ipAddress, mask, prefix}.

Listening Ports

With the Enabled toggle on (the default), Cribl Edge will create events from the list of listening ports and their associated process identifier (pid).

Cribl Edge will create separate events for each entry. All events will have identical timestamp values.

Sample entries include:

  • Protocol Family: ipv4 or ipv6.
  • Protocol: TCP, UDP, or UNIX.
  • Socket: ${addr}:${port}, or ${path} for UNIX sockets.
  • Process id: The process identifier.
  • Program: The program listening on the port.
  • listeningPorts: In Cribl Edge (Windows), reports MSFT_NetTCPConnection and MSFT_NetUDPEndpoint when the native WMI method is used (default). Reports Get-NetTCPConnection and Get-NetUDPEndpoint when the Use Windows Tools toggle is enabled in Advanced Settings.

Logged-In Users

With the Enabled toggle on (the default), Cribl Edge will collect entries from currently logged-in users.

Linux

Cribl Edge emits events with the following fields:

  • uid: User ID.
  • Last Login date: Last login date.
  • terminal: Type of the terminal device.
  • hostname: Display the hostname of the system, if the user is connected from a remote computer.
  • userName: Logon name of the user.
Windows (Cribl Edge Only)

Cribl Edge Windows emits events with the following fields:

  • userName: Login name of the user.
  • sessionName: rdp (Remote desktop/terminal services login session) or console (Direct login session).
  • id: Session ID.
  • state: active (Active session) or disc (Disconnected/inactive session).
  • logonTime: Date and time the user logged on.
  • source: Set to Query User.

Routes

With the Enabled toggle on (the default), Cribl Edge will collect entries from host’s network routes and emit them as events.

Sample entries include:

  • address_family: ipv4 or ipv6.
  • destination: The destination network or host.
  • prefix: Emits only from Linux IPv6.
  • flags: Flags.
  • gateway: The gateway address.
  • interface: Interface to which packets for this route will be sent.
  • ifIndex: Interface ID. Emits only from Windows.
  • mask: The netmask for the destination net. Emits only from Linux IPv4.
  • metric: The distance to the target.
  • sequence: Sequence number in the table.
  • source: The source of the data used to populate the event.
  • routes: In Cribl Edge on Windows, reports as MSFT_NetRoute when the native WMI method is used (default). Reports Get-NetRoute when the Use Windows Tools toggle is enabled in Advanced Settings.

Services

With the Enabled toggle on (the default), Cribl Edge will create events for each configured service (for example systemd and initd) along with their enabled and running status.

Sample entries include:

  • Name: Name of the service.
  • Unit Activation Status: The high-level unit activation state, i.e. generalization of SUB for systemctl. For sysV system value can be enabled or disabled.
  • Unit Load Status: Reflects whether the unit definition was properly loaded. (Only systemctl).
  • Sub Unit Activation Status: The low-level unit activation state, values depend on unit type.
  • Description: Description of the service.
  • windowsService: In Cribl Edge on Windows, reports as Win32_Service when the native WMI method is used (default). Reports Get-Service when the Use Windows Tools toggle is enabled in Advanced Settings.

Users and Groups

With the Enabled toggle on (the default), Cribl Edge will create events for users and groups.

Linux

The Linux collector reports exclusively on local users and groups defined within /etc/passwd and /etc/group. It does not include users or groups from external directory services like LDAP.

On Linux, Cribl Edge creates user events with the following fields:

  • username
  • fullname
  • loginShell
  • userHome
  • userid
  • primaryGroup (name of primary group, not group ID)
  • groups (list of group names)

Cribl Edge also creates group events with the following fields:

  • name
  • groupId
  • users
Windows (Cribl Edge Only)

Cribl Edge on Windows reports exclusively on local users and groups. On Windows hosts that are members of a domain (but are not domain controllers), Cribl Edge will only list local accounts. On Windows domain controllers, the collector will not list any users or groups as the local account list is replaced by the domain accounts.

On Windows, Cribl Edge creates user events with the following fields:

  • userName
  • fullname
  • description
  • groups

Cribl Edge also creates group events with the following fields:

  • name
  • description
  • users

Processing Settings

Fields

In this section, you can define new fields or modify existing ones using JavaScript expressions, similar to the Eval function.

  • The Field Name can either be a new field (unique within the event) or an existing field name to modify its value.
  • The Value is a JavaScript expression (enclosed in quotes or backticks) to compute the field’s value (can be a constant). Select this field’s advanced mode icon (far right) if you’d like to open a modal where you can work with sample data and iterate on results.

This flexibility means you can:

  • Add new fields to enrich the event.
  • Modify existing fields by overwriting their values.
  • Compute logic or transformations using JavaScript expressions.

Pre-Processing

Select a Pipeline (or Pack) from the drop-down to process this Source’s data. Required to configure this Source via Data Routes; optional to configure via Collect/QuickConnect.

Disk Spooling

Enable disk spooling: Whether to save metrics to disk. When toggled on, exposes this section’s remaining fields.

Bucket time span: The amount of time that data is held in each bucket before it’s written to disk. The default is 10 minutes (10m).

Max data size: Maximum disk space the persistent metrics can consume. Once reached, Cribl Edge will delete older data. Example values: 420 MB, 4 GB. Default value: 100 MB.

Max data age: How long to retain data. Once reached, Cribl Edge will delete older data. Example values: 2h, 4d. Default value: 24h (24 hours).

Compression: Currently locked to none. Cribl plans to add (optional) disk-spooling compression in a future release.

Path location: Path to write metrics to. Default value is $CRIBL_HOME/state/system_state.

Advanced Settings

Use Windows Tools: Toggled off by default. This setting affects Windows Edge Nodes only, it has no effect on Linux Edge Nodes or in Cribl Stream.

  • If toggled off, the System State Source interacts directly with the Windows Management Instrumentation (WMI) API, resulting in faster data collection.

  • If toggled on, the System State Source will collect events using Powershell cmdlets.

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Connected Destinations

Select Send to Routes to enable conditional routing, filtering, and cloning of this Source’s data via the Routing table.

Select QuickConnect to send this Source’s data to one or more Destinations via independent, direct connections.