These docs are for Cribl Stream 4.11 and are no longer actively maintained.
See the latest version (4.13).
Configure Host Metadata
Cribl Stream can add a __metadata property to every event produced from every enabled Source. You can view the metadata collected for a Worker Node by selecting the Worker Node on the Workers page.
The metadata surfaced by a Worker Node can be used to:
- Enrich events (with an internal
__metadatafield). - Display metadata to users as a part of instance exploration.
You can customize the type of metadata collected at Group Settings > General Settings > Limits > Metadata. Add and select metadata sources by selecting Add Source and choosing an option from the list.
In Cribl Stream, all the Event metadata sources are disabled by default.
The sources that you can select here include:
| Source | Description |
|---|---|
os | Reports details for the host OS and host machine, like OS version, kernel version, CPU and memory resources, hostname, network addresses, and so on. |
cribl | Reports the Cribl Stream version, Distributed mode, Worker Nodes (for managed instances), and configuration version. |
aws | Reports details on an EC2 instance, including the instance type, hostname, network addresses, tags, and IAM roles. For security reasons, we report only IAM role names. |
env | Reports environment variables. |
kube | Reports details on a Kubernetes environment, including the node, Pod, and container. For details, see __metadata.kube Property. |
When these metadata sources are enabled (and can get data), Cribl Stream will add the corresponding property to events, with a nested property for each enabled source.
Some metadata sources work only in configured environments. For example, the
awssource is available only when running on an AWS EC2 instance. Andkubeapplies only to on-prem deployments.If your security tools report denied outbound traffic to IP addresses like
169.254.169.168or169.254.169.254, you can suppress these by removingawsfrom the metadata sources described above. If you have a proxy setup, Cribl recommends adding these IP addresses to yourno_proxyenvironment variable.
__metadata.kube Property
For the __metadata.kube property (displayed as kube in the list of event metadata sources) to report details on a Kubernetes environment, Cribl Stream needs to know where it is running. Set the KUBE_K8S_POD environment variable to the name of the Pod in which Cribl Stream is running. This gives the __metadata.kube property the information it needs to report on the node and pod properties.
If /proc/self/cgroup is working, the container property information will be available, too.