Add a Syslog Source for Cribl Search
Collect data from Syslog agents in the Syslog format via TCP or UDP so you can search it fast.
What’s a Syslog Source in Cribl Search?
A Cribl Search data source that receives syslog data over TCP or UDP from various devices and stores it in a Lakehouse engine for fast access.
Looking for the Syslog Source in Cribl Stream? See Syslog Source in Cribl Stream.
What You Need First
To set up this Source, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
You don’t need Cribl Stream, Edge, or Lake.
Add a Syslog Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Syslog.
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, syslog becomes in_syslog).
2. Set the Ports
Under General, set TCP port and, optionally, UDP port to the ports you want to listen on.
3. Set Up Encryption
TLS encryption protects your data in transit between upstream Syslog agents and this Source. TLS is TCP-only.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS version | When to use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure your Syslog agents to send data to the Source endpoint.