Ingest Syslog Messages into Cribl Search
Collect data from syslog agents via TCP or UDP to store it in Cribl Search for fast analysis.
Before You Begin
You’ll need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. See how to get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
- A syslog sender that can reach Cribl Search over TCP or UDP: rsyslog, syslog-ng, or any other syslog client.
You don’t need Cribl Stream, Edge, or Lake. (Looking for the Syslog Source in Cribl Stream instead?)
1. Add a Syslog Source in Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Syslog.
Describe Your Source
Under General, configure:
| Setting | Description | Example |
|---|---|---|
| ID | Source ID, unique across your Cribl.Cloud Workspace. Use letters, numbers, underscores, hyphens. | syslog_prod |
| Description | Describe your Source so others know what it’s for. | Ingests syslog from prod servers |
Set Ports
Under General, set the ports you want to listen on:
| Setting | Description | Example |
|---|---|---|
| Address | Hostname (FQDN) that your syslog client connects to. You’ll need this to set up your syslog client. | search.main.foo-bar-abc123.cribl.cloud |
| TCP Port | Network port to listen on for TCP traffic. Set this if you want to receive data over TCP. | 9514 (default) |
| UDP Port | Network port to listen on for UDP traffic. Set this if you want to receive data over UDP. | 9514 (default) |
Set Up Encryption
Use TLS encryption to protect your data in transit between upstream syslog senders and your Cribl Search Source.
TLS is supported for TCP connections only.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS Version | When to Use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
Select Save to create the Source.
2. Set Datatype Rules
Configure Datatype rules to parse, filter, and normalize your syslog messages into structured fields. We call this process Datatyping.
On the Cribl.Cloud top bar, select Products > Search > Data > Datatyping (auto). Here, you can:
- Use Auto-Datatyping to parse your data automatically.
- Check for uncategorized data that didn’t match any Datatype rules.
- Handle the uncategorized data by adding custom Datatype rules.
See also:
- Datatypes in Cribl Search
- v2 Datatypes in Cribl Search
- List of Stock v2 Datatypes
- Add a Custom v2 Datatype
3. Set Dataset Rules
Configure Dataset rules to organize the parsed events into Datasets. This also determines how long the data is kept, as each Dataset has its own retention period.
On the Cribl.Cloud top bar, select Products > Search > Data > Datasets: Organize Your Data, and see Organize Your Data for details.
4. Set Up Your Syslog Client
Configure your upstream syslog client to send data to Cribl Search.
You’ll need these details from your Source configuration:
| Name | Example |
|---|---|
| Address | search.main.foo-bar-abc123.cribl.cloud |
| TCP Port | 9514 (default) |
| UDP Port | 9514 (default) |
To find these for an existing Source: On the Cribl.Cloud top bar, select Products > Search > Data > Sources, and select your Source.
Example Message (Syslog > Cribl Search)
Replace the example address (search.main.foo-bar-abc123.cribl.cloud) and port (if you changed the default 9514) with
your Source values.
echo '<34>Oct 11 22:14:15 mymachine su: su root failed for lonvick on /dev/pts/8' | nc search.main.foo-bar-abc123.cribl.cloud 9514echo '<34>Oct 11 22:14:15 mymachine su: Sample syslog message' | nc -u search.main.foo-bar-abc123.cribl.cloud 95145. See Live Data Flow
Verify that events are successfully flowing from your syslog client into Cribl Search.
On the Cribl.Cloud top bar, select Products > Search > Data > Live Data.
Here, check for your syslog Source. For details, see See Live Data Flow.
Next Steps
Now that your data is in Cribl Search, you can start using it. For example: