cribl.yml
cribl.yml contains settings for configuring API and other system properties.
cribl.yml
# API Server Settings
api:
# Host - Hostname or address to bind API server to. Defaults to 0.0.0.0. Using $CRIBL_API_HOST
# overrides this setting.
# [string; default: 0.0.0.0; required]
host:
# Port - API port to listen to. Defaults to 9000. Using $CRIBL_API_PORT overrides this setting.
# [number; max: 65535; default: 9000; required]
port:
# Protocol - Protocol that API server speaks, defaults to http1.1
# [string; default: http1.1]
protocol:
# Retry count - Number of times to retry binding to API port
# [number; min: 0; default: 120]
retryCount:
# Retry period - Period, in seconds, between consecutive port binding retries
# [number; min: 0; default: 5]
retrySleepSecs:
# URL base path - URL base path from which to serve all assets (useful when behind a proxy)
# [string; default: '']
baseUrl:
# Local UI access - Enable to allow direct browser access to the Cribl Stream Worker Nodes' UI
# [boolean; default: false]
disabled:
# Listen on port - Expose the API service to the network on the configured port.
# [boolean; default: true]
listenOnPort:
# Enable teleporting to Worker Nodes - Enables authenticated access to each Worker Node's UI from the
# Leader
# [boolean; default: false]
workerRemoteAccess:
# Log out on roles change - Log users out when their roles change
# [boolean; default: true]
revokeOnRoleChange:
# Auth token TTL - How long (in seconds) authentication tokens remain valid. Default is 1 hr.;
# minimum is 1 sec.
# [number; min: 1; default: 3600]
authTokenTTL:
# Session idle time limit - How long (in seconds) Cribl Stream will observe no user interaction
# before invalidating user's session tokens. Default is 1 hr.; minimum is 60 sec.
# [number; min: 60; default: 3600]
idleSessionTTL:
# Login rate limit - Rate limit, expressed as maximum number of requests per interval (second,
# minute, hour, day). Examples: 3/second, 5/minute
# [string]
loginRateLimit:
# SSO/SLO callback rate limit - Rate limit for SSO and SLO callback endpoints. Expressed as
# maximum number of requests per second, minute, hour, or day. Examples: 3/second, 5/minute.
# When limit is reached, the Cribl Stream sends 429 Too Many Requests HTTP responses.
# [string]
ssoRateLimit:
# HTTP headers - Custom HTTP headers to be sent with every response
headers:
apiCache:
# Enable API cache - Enable caching of browser's frequent API requests. (Disabling can slow
# the response time.)
# [boolean; default: false]
disabled:
# SSL - Enable SSL on API. Defaults to disabled.
ssl:
# Disabled
# [boolean; default: true; required]
disabled:
# Certificate - The name of the predefined certificate
# [string]
certificateName:
# Private key path - Path on server in which to find the private key to use. PEM format. Can
# reference $ENV_VARS.
# [string; required]
privKeyPath:
# Passphrase - Passphrase to use to decrypt private key
# [string]
passphrase:
# Certificate path - Path on server in which to find certificates to use. PEM format. Can
# reference $ENV_VARS.
# [string; required]
certPath:
# CA certificate path - Path on server where to find CA certificates to use. PEM format. Can
# reference $ENV_VARS.
# [string]
caPath:
# Support
support:
# Feature Flag Overrides
featureFlagOverrides:
# Flag ID
# [string; min: 1; max: 100; required]
flagId:
# Enabled
# [boolean; default: true; required]
disabled:
# Authentication Settings
auth:
# Type - Select from this list of supported authentication providers
# One of: local | splunk | ldap | openid | saas | saml
# [string; required]
type:
# LDAP servers - List of LDAP servers. Each entry should contain host:port (example:
# localhost:389).
# [array; min: 1; required]
ldapServers:
# Bind DN - Distinguished Name of entity to authenticate with LDAP server. Example:
# 'cn=admin,dc=example,dc=org'
# [string; required]
bindDN:
# Password - Distinguished Name password used to authenticate with LDAP server
# [string; required]
bindCredentials:
# Username field - LDAP user search field, such as cn or uid
# [string; default: cn; required]
usernameField:
# User search base - Starting point to search LDAP for users. Example: 'dc=example,dc=org'
# [string; required]
searchBase:
# Secure - Enable to use a secure LDAP connection (ldaps://); disable for unsecure (ldap://)
# connection
# [boolean; default: false]
secure:
# User search filter - LDAP search filter to apply when finding user. Example:
# (&(group=admin)(!(department=123*)))
# [string]
searchFilter:
# Group search base - Starting point to search LDAP for groups. Example: 'dc=example,dc=org'
# [string]
groupSearchBase:
# Group member field - LDAP group search field, such as member
# [string; default: member]
groupMemberField:
# Group membership attribute - Attribute name of LDAP user object, such as dn. Determines group
# member attribute's value, which defines group's allowed users.
# [string; default: dn]
groupMemberValField:
# Group search filter - LDAP search filter to apply when finding group. Example:
# (&(cn=cribl*)(objectclass=group))
# [string]
groupSearchFilter:
# Group name field - LDAP group field, such as cn
# [string; default: cn]
groupField:
# Connection timeout (ms)
# [number; default: 5000]
connectTimeout:
# Validate server certs - Validate server certificates globally. Disable to allow self-signed
# certificates.
# [boolean; default: true]
rejectUnauthorized:
# Host - Hostname or IP address of Splunk instance
# [string]
host:
# Port - Management port of Splunk instance
# [number; default: 8089]
port:
# Issuer - The OIDC provider's issuer URL, e.g., https://accounts.google.com
# [string]
issuer:
# Authorization URL - The OIDC provider's authorization URL
# [string]
authorizationURL:
# Token URL - The OIDC provider's token URL
# [string]
tokenURL:
# UserInfo URL - The OIDC provider's UserInfo URL
# [string]
userInfoURL:
# Client ID - The client ID provided by the OIDC provider
# [string]
clientID:
# Client Secret - The client secret provided by the OIDC provider
# [string]
clientSecret:
# Callback URL - The callback URL where the OIDC provider redirects after authentication
# [string]
callbackURL:
# Scope - The scopes to request from the OIDC provider
# [string]
scope:
system:
# One of: api | auto | false
# [string]
upgrade:
# One of: api | false
# [string]
restart:
# One of: splunk-app | standalone
# [string]
installType:
# Share telemetry with Cribl - Help improve Cribl's products and capabilities by sharing
# anonymized telemetry data with Cribl
# [boolean]
intercom:
rollback:
# Enable automatic rollback - Automatically roll back the upgrade if it fails to start, or if
# the Worker Node fails to connect to the Leader
# [boolean; default: true; required]
rollbackEnabled:
# Rollback timeout (ms) - Time to wait before checking node health to perform an upgrade
# rollback
# [number; min: 1; default: 30000]
rollbackTimeout:
# Rollback condition retries - Number of times to retry health check before performing the
# rollback
# [number; min: 0; default: 5]
rollbackRetries:
# Check interval (ms) - Time to wait between retries
# [number; min: 100; default: 1000]
checkInterval:
backups:
# Backups directory - Directory where backups will be stored
# [string; default: $CRIBL_STATE_DIR/backups]
backupsDirectory:
# Backup persistence - Relative time expression for how long to keep the backups. Example: 24h
# [string; default: 24h]
backupPersistence:
workers:
# number of worker processes to spawn, if less than 1 the value is added to CPU count
# [number; default: 1]
count:
# [number; min: 1024; default: 2048]
memory:
# Default TLS Settings
tls:
# Minimum TLS version - Minimum TLS version. Defaults to TLS 1.2.
# One of: TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
# [string]
minVersion:
# Maximum TLS version - Maximum TLS version. Defaults to TLS 1.3.
# One of: TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
# [string]
maxVersion:
# Default cipher list - Default suite of enabled and disabled TLS ciphers. Defaults to:
# ECDHE-RSA-AES128-GCM-SHA256:
# ECDHE-ECDSA-AES128-GCM-SHA256:
# ECDHE-RSA-AES256-GCM-SHA384:
# ECDHE-ECDSA-AES256-GCM-SHA384:
# DHE-RSA-AES128-GCM-SHA256:
# ECDHE-RSA-AES128-SHA256:
# DHE-RSA-AES128-SHA256:
# ECDHE-RSA-AES256-SHA384:
# DHE-RSA-AES256-SHA384:
# ECDHE-RSA-AES256-SHA256:
# DHE-RSA-AES256-SHA256:
# HIGH:
# !aNULL:
# !eNULL:
# !EXPORT:
# !DES:
# !RC4:
# !MD5:
# !PSK:
# !SRP:
# !CAMELLIA
# [string]
defaultCipherList:
# ECDH curve - The curve name, or a colon-separated list of curve NIDs or names, to use for ECDH
# key agreement. For example: 'P-521:P-384:P-256'. Defaults to 'auto'.
# [string; default: auto]
defaultEcdhCurve:
# Validate server certs - Validate server certificates globally. Disable to allow self-signed
# certificates.
# [boolean; default: true]
rejectUnauthorized:
# Proxy Settings
proxy:
# Use proxy env vars - Honor HTTP_PROXY/HTTPS_PROXY environment variables
# [boolean; default: true; required]
useEnvVars:
git:
# Branch - The branch to track in your Stream deployment's git repository
# [string; default: master]
branch:
# GitOps workflow - The GitOps workflow for managing Cribl configuration
# One of: none | push
# [string; default: none]
gitOps:
# Collapse actions - Collapse Commit & Deploy into a single action. If you've configured a
# remote, Commit & Git Push will also be collapsed. Your default commit message below will be
# used for all commits.
# [boolean]
commitDeploySingleAction:
# Default commit message - Enter a default message to use for all commits
# [string; required]
defaultCommitMessage:
# Remote URL
# [string]
remote:
# Git authentication type
# One of: none | ssh | basic
# [string; default: ssh]
authType:
# Scheduled global actions - Global git actions to run automatically on a schedule
# One of: none | commit | push | commitPush
# [string; default: none]
autoAction:
# Git timeout - Maximum time (in milliseconds) to wait for git processes before ending them.
# Enter 0 to wait indefinitely.
# [number; min: 0; default: 60000]
timeout:
# Generate commit messages automatically with Cribl Copilot - Cribl Copilot-generated messages
# override any default commit message you may have set
# [boolean]
copilotAutoGitCommitMessages:
# SSH private key - SSH private key (without passphrase) to use for authentication on remote git
# repo
# [string]
sshKey:
# SSH strict host key checking - Validate key against known hosts, to prevent spoofing or
# impersonation attacks. For details, see "Verifying Host Keys" [on the Linux man
# page](https://linux.die.net/man/1/ssh).
# [boolean; default: true]
strictHostKeyChecking:
# Username - Username for authentication on remote git repo
# [string; required]
user:
# Password/Token - Password or Personal Access Token for authentication on remote git repo
# [string; required]
password:
# [boolean]
fips:
# SNI Routing
sni:
# Disable SNI-based connection routing - Advanced setting - do not change without consulting
# Cribl Support. This setting affects how connections are routed within the Cribl control plane.
# Changing this setting could affect the scalability of your system.
# [boolean; default: false]
disableSNIRouting:
# Sockets for IPC
sockets:
# Directory - Directory to hold sockets for inter-process communication (IPC), such as load
# balancing and Worker Processes. Defaults to your system's temp directory.
# [string; max: 64]
directory:
# Shutdown Settings
shutdown:
# Drain timeout (sec) - How many seconds to wait for writes to complete before Cribl server shuts
# down on Workers
# [number; min: 1; max: 600; default: 10]
drainTimeout:
# PII Detection
pii:
# Enable PII detection - Enable periodic detection of PII in this group
# [boolean; default: false]
enablePiiDetection:
# Upgrade Group Settings
upgradeGroupSettings:
# Quantity - Percentage of workers to upgrade
# [number; default: 100]
quantity:
# Rolling upgrade - Upgrade workers one at a time
# [boolean; default: true]
isRolling:
# Retry delay (ms) - Number of milliseconds to wait in between upgrade attempts
# [number; default: 1000]
retryDelay:
# Retry count - Number of times to retry failed upgrade
# [number; default: 5]
retryCount:
# Upgrade Settings
upgradeSettings:
# Package source - Select download package source
# One of: cdn | path
# [string; default: cdn]
upgradeSource:
# Enable automatic upgrades - Disable to opt out of automatic upgrades when Cribl releases new
# versions
# [boolean; default: true]
disableAutomaticUpgrade:
# Enable Legacy Edge upgrades - Opt in legacy upgrades
# [boolean; default: false]
enableLegacyEdgeUpgrade:
# Upgrade check period - Interval over which to check for out-of-date Nodes
# [string; default: 1h; required]
automaticUpgradeCheckPeriod:
# Custom Path - Provide your own URLs or local paths for platform-specific Cribl packages
# [required]
packageUrls:
# Platform-Specific Package Location - Package HTTP URL or local path
# [string; min: 1; required]
packageUrl:
# Package Hash Location - Package's MD5 or SHA256 hash HTTP URL or local path
# [string; min: 1]
packageHashUrl: Example cribl.yml:
$CRIBL_HOME/default/cribl/cribl.yml
api:
host: 0.0.0.0
port: 9000
disabled: false
loginRateLimit: 2/second
ssoRateLimit: 2/second
auth:
type: local
kms.local:
type: local
crypto:
keyPath: $CRIBL_HOME/local/cribl/auth/keys.json
system:
upgrade: api
restart: api
installType: standalone
intercom: true
upgradeSettings:
disableAutomaticUpgrade: true
enableLegacyEdgeUpgrade: false
workers:
count: -2
minimum: 2
memory: 2048
proxy:
useEnvVars: true
shutdown:
drainTimeout: 10
# If there is a custom gitignore rule that excludes cribl.secret from bundle
bundler:
bundleGitIgnoredPatterns: '**/cribl.secret'