On This Page

Home / Stream/ Securing·Securing Cribl Stream (TLS/SSL, Certs, Keys)

Securing Cribl Stream (TLS/SSL, Certs, Keys, and More)

You can secure Cribl Stream access and traffic using various combinations of SSL (Secure Sockets Layer), TLS (Transport Layer Security), custom HTTP headers, and internal or external KMS (Key Management Service) options. An additional option for Cribl Stream is to deploy in FIPS mode.

In a single-instance deployment (Stream, Edge), wherever this page refers to a Worker Group, just follow the Manage link in the top nav.

Secure Access to Worker Node UIs

Cribl recommends that in enterprise distributed deployments, you prevent direct browser access to the UI for all Worker Nodes.

On the Leader Node, start by enabling UI access to Worker Nodes (Stream, Edge). This way, admins will still be able to tunnel through from the Leader to the UI on any Worker Node. This is also a prerequisite for Connecting Workers to the Leader Securely.

  1. Select a Worker Group.
  2. Open Group Settings (top right).
  3. Under General Settings > API Server Settings, click Advanced.
  4. Toggle Local UI Access to No.
  5. Click Save.

SSL Certificate Configuration

You can secure access to the Cribl Stream API and UI by configuring SSL. Do this on the Leader, to secure inbound communications to the Worker Nodes.

You can use your own certs and private keys, or you can generate a pair with OpenSSL, as shown here:

openssl req -nodes -new -x509 -newkey rsa:2048 -keyout myKey.pem -out myCert.pem -days 420

This example command will generate both a self-signed cert myCert.pem (certified for 420 days), and an unencrypted, 2048-bit RSA private key myKey.pem. (Change the filename arguments to modify these placeholder names.)

As indicated by these examples, Cribl Stream expects certificates and keys to be formatted in privacy-enhanced mail (.pem) format.

In the Cribl Stream UI, you configure the certificate and its associated private key differently depending on your deployment type:

  • For single-instance deployments, navigate to Settings > Global Settings > Security > Certificates (Edge, Stream).

  • For distributed deployments, navigate to Manage > Groups > <group‑name> > Group Settings > Security > Certificates (Edge, Stream).

Alternatively, in the local/cribl.yml file, you can edit the api section to directly set the privKeyPath and certPath attributes. For example:

cribl.yml
api:
  host: 0.0.0.0
  port: 9000
  disabled : false
  ssl:
    disabled: false
    privKeyPath: /path/to/myKey.pem
    certPath: /path/to/myCert.pem
...

See Securing Communications for details about using this certificate and key to secure communications on, and among, your Cribl Stream Leader and Worker Nodes.

TLS Settings and Traffic Types

This table shows TLS client/server pairs, and encryption defaults, per traffic type.

Traffic TypeTLS ClientTLS ServerEncryptionCert AuthCN* Check
UIBrowserCribl StreamDefault disabledDefault disabledDefault disabled
APIWorker/Edge NodeLeaderDefault disabledDefault disabledDefault disabled
Worker-to-LeaderWorker/Edge NodeLeaderDefault disabledDefault disabledDefault disabled
DataAny data senderCribl Stream (Source)Default disabledDefault disabledDefault disabled
DataCribl Stream (Destination)Any data receiverDefault disabledDefault disabledDefault disabled
Authentication————————————————————
Local*BrowserCribl StreamDefault DisabledN/AN/A
LDAP*Cribl StreamLDAP ProviderCustomN/ADefault Disabled
Splunk*Cribl StreamSplunk Search HeadDefault EnabledN/ADefault Disabled
OIDC†/​Okta*Browser and Cribl StreamOktaDefault EnabledN/AEnabled (Browser)
OIDC†/​Google*Browser and Cribl StreamGoogleDefault EnabledN/AEnabled (Browser)

* Common name
† OpenID Connect

System-wide TLS Settings Including Ciphers

You can configure advanced, system-wide TLS settings – minimum and maximum TLS versions, default cipher lists, and ECDH curve names. Select Settings > Global Settings > System > General Settings > Default TLS Settings.

In the Default cipher list field, you can specify between one and all of the following supported ciphers:

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA38
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ARIA256-GCM-SHA38
  • ECDHE-ARIA128-GCM-SHA25
  • AES256-GCM-SHA384
  • AES256-CCM8
  • AES256-CCM
  • ARIA256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES128-CCM8
  • AES128-CCM
  • ARIA128-GCM-SHA256

TLS in Cribl.Cloud

TLS encryption is pre-enabled on several Sources in Cribl.Cloud, as indicated on the Data Sources tab of the Cribl.Cloud portal. All TLS is terminated by individual Nodes.

For steps to enable TLS mutual authentication in Cribl.Cloud, see Securing Communications.

CA Certificates and Environment Variables

For any Cribl Stream Source or Destination that supports TLS, you can configure a CA Certificate Path field that points to a Certificate Authority (CA) .pem file(s). However, you can also use environment variables to manage CAs globally. Here are some common scenarios:

  • Add a set of trusted root CAs to the list of trusted CAs that Cribl Stream trusts. Set the NODE_EXTRA_CA_CERTS environment variable for each Worker Node. For example, if you are using systemd, add the following line in each Worker Node’s systemd unit file (replace /<path>/<to>/<the>/<directory>/<containing>/<certs>/ca.pem with the path to your CA .pem file):

    ...
[Service]
Environment="NODE_EXTRA_CA_CERTS=/<path>/<to>/<the>/<directory>/<containing>/<certs>/ca.pem"
...

    When configuring TLS authentication on Worker Nodes, make sure you place your certificates into a separate directory outside of $CRIBL_HOME. If you place the certificates inside $CRIBL_HOME, they’ll be removed when the next config bundle is deployed from the Leader.

    For details about NODE_EXTRA_CA_CERTS, see the node.js documentation.

  • Configure Cribl Stream to accept all TLS certificates, regardless of their validity. Set the NODE_TLS_REJECT_UNAUTHORIZED environment variable for each Worker Node. For example, if you are using systemd, add the following line in each Worker Node’s systemd unit file:

    ...
[Service]
Environment="NODE_TLS_REJECT_UNAUTHORIZED=0"
...

    NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate validation, which can decrease the security posture of your Cribl installation. For this reason, we recommend avoiding NODE_TLS_REJECT_UNAUTHORIZED=0 in production environments. Instead, use the NODE_EXTRA_CA_CERTS environment variable to explicity trust the necessary certificates.

    For details about NODE_TLS_REJECT_UNAUTHORIZED, see the node.js documentation.

Encryption Keys

You can create and manage keys that Cribl Stream will use for real-time encryption of fields and patterns within events. For details on applying the keys that you define here, see Encryption Keys.

In Cribl Stream 4.1 and later, for enhanced security, Cribl encrypts TLS certificate private keys in configuration files when you add or modify them. Before upgrading to v.4.1.0 (or later), back up your existing unencrypted key files – see Safeguarding Unencrypted Private Keys for Rollback. If you need to roll back to a pre-4.1 version, see Restoring Unencrypted Private Keys below.

Accessing Keys

  • In a single-instance deployment, select Settings > Security > Encryption Keys.
  • In a distributed deployment with one Worker Group, select Settings > Security > Encryption Keys.
  • In a distributed deployment with multiple Worker Groups, keys are managed per Worker Group. Select Manage > Groups > <group-name> Group Settings > Security > Encryption Keys.

On the resulting Manage Encryption Keys page, you can configure existing keys, and/or use the following options to add new keys.

Get Key Bundle

To import existing keys, click Get Key Bundle. You’ll be prompted to supply a login and password to proceed.

Add New Key

To define a new key, click New Key. The resulting New Key modal provides the following controls:

Key ID: Cribl Stream will automatically generate this unique identifier.

Description: Optionally, enter a description summarizing the purpose of the key.

Encryption algorithm: Currently, Cribl Stream supports the aes-256-cbc (default) and aes-256-gcm algorithms.

KMS for this key: Currently, the only option supported here is local (the Key Management Service built into Cribl Stream).

Key class: Classes are arbitrary collections of keys that you can map to different levels of access control. For details, see Key Classes. This value defaults to 0; you can assign more classes, as needed.

Expiration time: Optionally, assign the key an expiration date. Directly enter the date or select it from the date picker.

Use initialization vector: If enabled, Cribl Stream will seed encryption with a nonce to make the key more random and unique. Optional (and defaults to disabled) with the aes‑256‑cbc algorithm; automatically enabled (and cannot be disabled) with the aes‑256‑gcm algorithm.

Initialization vector size: Length of the initialization vector (IV), in bytes. This option is displayed only with the aes‑256‑gcm algorithm. Defaults to 12 bytes to optimize interoperability, but you can use the drop-down to set this anywhere between 1216 bytes.

Restoring Unencrypted Private Keys

If you need to roll back from Cribl Stream v.4.1 or later to an earlier version, follow this procedure to restore the unencrypted private key files that you earlier backed up.

  1. Stop Cribl Stream v.4.1 (or later) on hosts – the Leader and all Worker Nodes.
  2. Untar the older Cribl Stream version (v.4.0.4, for example) onto the Leader and all Worker Nodes.
  3. Manually edit each Cribl Stream config file that contains an encrypted private key. Replace each key with its prior unencrypted version.
  4. Start up Cribl Stream, commit and deploy, and resume normal operations.

Secrets

The Cribl Stream secrets store enables you to centrally manage secrets that Cribl Stream instances use to authenticate on integrated services. Use this UI section to create and update authorization tokens, username/password combinations, and API‑key/secret‑key combinations for reuse across the application.

Accessing Secrets

  • In a single-instance deployment, select Settings > Security > Secrets.
  • In a distributed deployment with one Worker Group, select Configure > Settings > Security > Secrets.
  • In a distributed deployment with multiple Worker Groups, secrets are managed on each Worker Group. Select Groups > <group-name> Settings > Security > Secrets.

On the resulting Manage Secrets page, you can configure existing secrets, and/or click New Secret to define new secrets.

Add New Secret

The New Secret modal provides the following controls:

Secret name: Enter an arbitrary, unique name for this secret.

Secret type: Some options for this field expose additional controls, as described below.

Description: Optionally, enter a description summarizing the purpose of the secret.

Tags: Optionally, enter one or multiple tags related to this secret.

Secret Type

This drop-down offers the following types:

Text: This default type exposes a Value field where you directly enter the secret.

API key and secret key: Exposes API key and Secret key fields, used to retrieve the secret from a secure endpoint. This is the only secret type that Cribl Stream supports for its AWS-based Sources, Collectors, and Destinations, and its Google Cloud Storage Destination.

Username with password: Exposes Username and Password fields, which you fill to retrieve the secret using Basic Authentication.

Custom HTTP Headers

You can encode custom, security-related HTTP headers as needed. In a Distributed deployment, navigate to Worker Group Settings, then API Server Settings > Advanced > HTTP Headers. (In a Single-instance deployment, the API Server Settings are within Global Settings > General Settings.) Define HTTP headers as key-value pairs, clicking Add Header as needed.