These docs are for Cribl Stream 4.8 and are no longer actively maintained.
See the latest version (4.11).
TLS Defaults and System-wide Settings
Cribl Stream prioritizes secure communication by default. This ensures the integrity and confidentiality of data transmitted between your Cribl Stream instance and various Sources and Destinations.
TLS Version Support and Defaults
The minimum supported TLS version in Cribl Stream is TLS 1.2 by default. This default applies to all secure connections, including supported Sources and Destinations, Worker/Leader communications, and Cribl.Cloud.
Cribl.Cloud and on-prem deployments use the same TLS settings, with TLS 1.2 being the default minimum version.
You can check whether a Source or Destination supports TLS by reviewing the information box at the beginning of its corresponding documentation page.
TLS Settings and Traffic Types
This table shows TLS client/server pairs, and encryption defaults, per traffic type.
| Traffic Type | TLS Client | TLS Server | Encryption | Cert Auth | CN* Check |
|---|---|---|---|---|---|
| UI | Browser | Cribl Stream | Default disabled | Default disabled | Default disabled |
| API | Worker/Edge Node | Leader | Default disabled | Default disabled | Default disabled |
| Worker-to-Leader | Worker/Edge Node | Leader | Default disabled | Default disabled | Default disabled |
| Data | Any data sender | Cribl Stream (Source) | Default disabled | Default disabled | Default disabled |
| Data | Cribl Stream (Destination) | Any data receiver | Default disabled | Default disabled | Default disabled |
| Authentication | ———— | ———— | ———— | ———— | ———— |
| Local* | Browser | Cribl Stream | Default Disabled | N/A | N/A |
| LDAP* | Cribl Stream | LDAP Provider | Custom | N/A | Default Disabled |
| Splunk* | Cribl Stream | Splunk Search Head | Default Enabled | N/A | Default Disabled |
| OIDC†/Okta* | Browser and Cribl Stream | Okta | Default Enabled | N/A | Enabled (Browser) |
| OIDC†/Google* | Browser and Cribl Stream | Default Enabled | N/A | Enabled (Browser) |
* Common name
† OpenID Connect
System-wide TLS Settings Including Ciphers
You can configure advanced, system-wide TLS settings – minimum and maximum TLS versions, default cipher lists, and ECDH curve names. Select Settings > Global Settings > System > General Settings > Default TLS Settings.
In the Default cipher list field, you can specify one or more ciphers from the following list:
ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-GCM-SHA384DHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHA256DHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHA384DHE-RSA-AES256-SHA384ECDHE-RSA-AES256-SHA256DHE-RSA-AES256-SHA256HIGH!aNULL!eNULL!EXPORT!DES!RC4!MD5!PSK!SRP!CAMELLIA
CA Certificates and Environment Variables
For any Cribl Stream Source or Destination that supports TLS, you can configure a CA Certificate Path field that points to a Certificate Authority (CA) .pem file(s). However, you can also use environment variables to manage CAs globally. Here are some common scenarios:
Add a set of trusted root CAs to the list of trusted CAs that Cribl Stream trusts. Set the
NODE_EXTRA_CA_CERTSenvironment variable for each Worker Node. For example, if you are using systemd, add the following line in each Worker Node’s systemd unit file (replace/opt/cribl/local/cribl/auth/certs/ca.pemwith the path to your CA.pemfile):... [Service] Environment="NODE_EXTRA_CA_CERTS=/opt/cribl/local/cribl/auth/certs/ca.pem" ...For details about
NODE_EXTRA_CA_CERTS, see the node.js documentation.Configure Cribl Stream to accept all TLS certificates, regardless of their validity. Set the
NODE_TLS_REJECT_UNAUTHORIZEDenvironment variable for each Worker Node. For example, if you are using systemd, add the following line in each Worker Node’s systemd unit file:... [Service] Environment="NODE_TLS_REJECT_UNAUTHORIZED=0" ...NODE_TLS_REJECT_UNAUTHORIZED=0disables TLS certificate validation, which can decrease the security posture of your Cribl installation. For this reason, we recommend avoidingNODE_TLS_REJECT_UNAUTHORIZED=0in production environments. Instead, use theNODE_EXTRA_CA_CERTSenvironment variable to explicity trust the necessary certificates.For details about
NODE_TLS_REJECT_UNAUTHORIZED, see the node.js documentation.