Add a Windows Event Forwarder Source for Cribl Search
Collect data from Windows Event Forwarder (WEF) servers over TCP so you can search it fast.
What’s a Windows Event Forwarder Source in Cribl Search?
A Cribl Search data source that receives Windows events from Windows Event Collectors (WECs) over HTTPS, secured by mutual TLS or Kerberos, and stores them in a lakehouse engine for fast access.
Looking for the Windows Event Forwarder Source in Cribl Stream? See Windows Event Forwarder Source in Cribl Stream.
What You Need First
On the Cribl.Cloud side, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
On the WEF server side, you need either Kerberos or Client certificate authentication configured. For details, see the Cribl Stream docs:
- Client Certificate Authentication for Windows Event Forwarder
- Kerberos Authentication for Windows Event Forwarder
You don’t need Cribl Stream, Edge, or Lake.
Add a Windows Event Forwarder Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Windows Event Forwarder.
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, wef-prod-1 becomes in_wef-prod-1).
2. Note the Source Endpoint
Under General, note down the Address and Port.You’ll need them to configure your upstream Windows Event collector to send data here.
Keep the default port unless it conflicts with another service.
3. Set Up Authentication
Authentication ensures only authorized senders can push data to your Source.
Under Authentication, select the Authentication method you want to use: Client certificate or Kerberos.
Client Certificate
First, set up a client certificate on the WEF server side. See Client Certificate Authentication for Windows Event Forwarder.
Then, when setting up the Windows Event Forwarder Source for Cribl Search, under Authentication, select Client certificate, and configure the following settings.
| Setting | Description |
|---|---|
| Certificate | Name of the certificate.. Select Create to add a new one (see Client Certificate Authentication for Windows Event Forwarder. |
| Private key path | Path to the PEM-formatted private key on the server. Supports $ENV_VARS. |
| Passphrase | Decrypts the private key if it’s encrypted. Use a secure secret input. |
| Certificate path | Path to the PEM-formatted server certificate on the server. Supports $ENV_VARS. |
| CA certificate path | Path to the PEM-formatted CA certificate on the server. Supports $ENV_VARS. |
| CA fingerprint override | SHA1 fingerprint of the issuing CA when the PEM chain order cannot be guaranteed. |
| Common name | Regex to validate the peer certificate’s CN or SANs. Default: .* (accept all). If SANs are present, matching is against SANs and CN is ignored.Example: ^worker\.cribl\.local$ for an exact FQDN. |
| Minimum TLS version / Maximum TLS version | Constrain accepted TLS versions. Recommended: Min 1.2, Max 1.3. |
| Verify certificate via OCSP | If toggled to Yes, Cribl Search will use an OCSP (Online Certificate Status Protocol) service to check that client certificates presented in incoming requests have not been revoked. |
| Strict validation | If enabled, Cribl Search will fail checks on any OCSP error. Otherwise, Cribl Search will fail checks only when a certificate is revoked, and will ignore other errors (such as OCSP server is unavailable errors). |
Kerberos
First, set up Kerberos on the WEF server side. See Kerberos Authentication for Windows Event Forwarder.
Then, when setting up the Windows Event Forwarder Source for Cribl Search, under Authentication, select Kerberos, and configure:
| Setting | Description |
|---|---|
| Service principal name | The Service Principal Name (SPN) in this format: HTTP/<fully qualified domain name>@REALM. This identifies the service in the Kerberos realm. The service principal name is case-sensitive and must match the form used to export the keytab. |
| Keytab location | The path to the keytab file containing the service principal credentials. Cribl Search uses /etc/krb5.keytab by default. This file contains the keys used for Kerberos authentication. |
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure your WECs to send data to the Source endpoint.