Skip to main content
Version: 3.2


AppScope is an open-source instrumentation utility from Cribl. It offers visibility into any Linux command or application, regardless of runtime, with no code modification. For details about configuring the AppScope CLI, loader, and library, see:

Type: Push | TLS Support: YES | Event Breaker Support: YES

Configuring LogStream to Receive AppScope Data

In the QuickConnect UI: Click + New Source, or click + Add beside Sources. From the resulting drawer's tiles, select [Push >] AppScope. Next, click either + Add New or (if displayed) Select Existing. The drawer will now provide the following options and fields.

Or, in the Data Routes UI: From the top nav of a LogStream instance or Group, select Data > Sources. From the resulting page's tiles or the Sources left nav, select [Push >] AppScope. Next, click + Add New to open a New Source modal that provides the following options and fields.

General Settings

Input ID: Enter a unique name to identify this AppScope Source definition.

Address: Enter the hostname/IP on which to listen for AppScope data. (E.g., localhost.) Defaults to, meaning all addresses.

Port: Enter the port number to listen on.

IP whitelist regex: Regex matching IP addresses that are allowed to establish a connection.

Authentication Settings

Use the Authentication method buttons to select one of these options:

  • Manual: Use this default option to enter the shared secret clients must provide in the authToken header field. Click Generate if you need a new auth token. If empty, unauthenticated access will be permitted.

  • Secret: This option exposes an Auth token (text secret) drop-down, in which you can select a stored secret that references the auth token described above. The secret can reside in LogStream's internal secrets manager or (if enabled) in an external KMS. Click Create if you need to configure a new secret.

TLS Settings (Server Side)

Enabled defaults to No. When toggled to Yes:

Certificate name: Name of the predefined certificate.

Private key path: Server path containing the private key (in PEM format) to use. Path can reference $ENV_VARS.

Passphrase: Passphrase to use to decrypt private key.

Certificate path: Server path containing certificates (in PEM format) to use. Path can reference $ENV_VARS.

CA certificate path: Server path containing CA certificates (in PEM format) to use. Path can reference $ENV_VARS.

Authenticate client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to No. When toggled to Yes:

  • Validate client certs: Reject certificates that are not authorized by a CA in the CA certificate path, or by another trusted CA (e.g., the system's CA). Defaults to No.

  • Common name: Regex matching subject common names in peer certificates allowed to connect. Defaults to .*. Matches on the substring after CN=. As needed, escape regex tokens to match literal characters. E.g., to match the subject CN=worker.cribl.local, you would enter: worker\.cribl\.local.

Minimum TLS version: Optionally, select the minimum TLS version to accept from connections.

Maximum TLS version: Optionally, select the maximum TLS version to accept from connections.

In a LogStream Cloud deployment, do not set the TLS Settings (Server Side) tab's Enabled slider to Yes, nor configure any of the tab's resulting TLS fields. Any settings that you configure here would conflict with the LogStream Cloud Source's predefined TLS configuration.

Processing Settings

Event Breakers

Event Breaker rulesets: A list of event breaking rulesets that will be applied to the input data stream before the data is sent through the Routes. Defaults to System Default Rule.

Event Breaker buffer timeout: The amount of time (in milliseconds) that the event breaker will wait for new data to be sent to a specific channel, before flushing out the data stream, as-is, to the Routes. Defaults to 10000.

Fields (Metadata)

In this section, you can add fields/metadata to each event using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).


In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Advanced Settings

Enable proxy protocol: Enable if the connection is proxied by a device that supports Proxy Protocol v1 or v2.

Environment: If you're using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Connected Destinations

Select Send to Routes to enable conditional routing, filtering, and cloning of this Source's data via the Routing table.

Select QuickConnect to send this Source’s data to one or more Destinations via independent, direct connections.

Internal Settings

Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.

Field for this Source:

  • __inputId
  • __srcIpPort


LogStream Cloud – TLS

  • An in_appscope TLS Source is preconfigured for you in LogStream Cloud, using port 10090.

  • Send it AppScope data using this command:

./scope run -c in.logstream.<tenant‑ID> -- ps -ef

LogStream Cloud – TCP

  • Add a new AppScope Source and assign it Port: 10091.

  • Send it AppScope data using this command:

./scope run -c tcp://in.logstream.<tenant‑ID> \
> -- curl -so /dev/null