A MySQL connection string requires this information:

• Protocol: Verify that your database is using a secure SSL or TLS connection and that you have the required certificates. Otherwise, your connection will need to use a non-secure protocol, which is not recommended. Append an s to your connection string header to enforce the secure SSL/TLS connection protocol. For example: mysqls://.
• Username: The database user account that has the necessary permissions to read tables and run queries. As a best practice, ensure that this account follows the principle of least privilege and has the minimum permissions required by Cribl Stream.
• Password: The password associated with the specified database user account.
• Host: The hostname or IP address where the MySQL database server is running.
• Port: MySQL uses a default port of 3306, but you should confirm this with your database administrator. It is possible that your deployment runs on a non-standard port.
• Database name: The specific name of the database (schema) on the server that contains the tables or data to collect.
• Optional parameters: Any additional parameters that are needed for extra settings or security, such as the SSL mode. For example: ?sslmode=require or ?sslmode=verify-full&sslrootcert=/path/to/ca.crt.

Use that information to build a connection string. MySQL connection strings use this syntax:

mysqls://username:password@host:port/databasename?option=value

Examples:

mysqls://audit_user:L0gM3In#@mysql-staging.net:3307/staging_logs
mysqls://cribl_reader:S3cur3R3@d3r!@prod_mysql_db.company.net:3306/production_logs?sslmode=verify-identity
mysql://dev_read:devpass123@192.168.1.5:3306/dev_data?sslmode=verify-full&sslrootcert=/path/to/ca.crt&sslcert=/path/to/client.crt&sslkey=/path/to/client.key.../mydb?sslmode=verify-full&sslrootcert=/path/to/ca.crt&sslcert=/path/to/client.crt&sslkey=/path/to/client.key

Oracle provides two methods for connecting to databases: Easy Connect or Oracle Net Connection. Check with your database administrator to determine which connection method is required for your database.

Although it is not part of the actual connection string, you will also need a valid username and password to connect to your Oracle database. This account needs the necessary permissions to read tables and run queries.

An Easy Connect connection string requires this information:

• Host: The hostname or IP address where the Oracle database server is running.
• Service name: The service name of the specific database instance that contains the data to collect.

Use that information to build a connection string. Easy Connect uses this syntax:

<host_name>/<service_name>

Examples of Easy Connect connection strings:

oracle-prod-vip.corp.net/FINANCE_PDB1 # default port
192.168.10.50:1523/HR_DATABASE_SID # non-standard port

An Oracle Net Connection requires this information:

• Protocol: The communication protocol used for the connection. For standard connections over a network, this is typically TCP.
• Host: The hostname or IP address where the Oracle database server is running.
• Port: Oracle uses a default port of 1521, but you should confirm this with your database administrator. It is possible that your deployment runs on a non-standard port.
• Service name: The service name of the specific database instance that contains the data to collect.

Use that information to build a connection string. Oracle Net Connections use this syntax:

(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=your_host_name)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=your_service_name)))

Examples of the Oracle Net Connection connection strings:

(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-prod-vip.corp.net)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=FINANCE_PDB1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.10.50)(PORT=1523))(CONNECT_DATA=(SERVICE_NAME=HR_DATABASE_SID)))

A Postgres connection string requires this information:

• Username: The database user account that has the necessary permissions to read tables and run queries. As a best practice, ensure that this account follows the principle of least privilege and has the minimum permissions required by Cribl Stream.
• Password: The password associated with the specified database user account.
• Host: The hostname or IP address where the Postgres database server is running.
• Port: Postgres uses a default port of 5432, but you should confirm this with your database administrator. It is possible that your deployment runs on a non-standard port.
• Database name: The specific name of the database (schema) on the server that contains the tables or data to collect.
• Optional parameters: Any additional parameters that are needed for extra settings or security, such as the SSL mode. For example: ?sslmode=require or ?sslmode=verify-full&sslrootcert=/path/to/ca.crt.

Use that information to build a connection string. Postgres connection strings use this syntax:

postgresql://username:password@hostname:port/databasename?option=value

Examples:

postgresql://cribl_reader:P0stGresR3ad@pg-prod-us-west.company.net:5432/telemetry_data?sslmode=verify-full
postgresql://cribl_reader:P0stGresR3ad@10.0.10.25:5433/telemetry_data?sslmode=require

If your SQL Server authenticates with a service principal, you must first register an application with Microsoft Entra ID (formerly known as Azure Active Directory) as a prerequisite. To prevent connection errors, you will need to use its ID and credentials in your configuration. To register an application with Microsoft Entra ID:

1. Register an application using the instructions from Microsoft: Register an application in Microsoft Entra ID. You can use the default settings as needed.

2. Generate credentials for the application: Add and manage application credentials in Microsoft Entra ID.

   CREATE USER [<app_display_name>] FROM EXTERNAL PROVIDER;
   ALTER ROLE db_owner ADD MEMBER [<app_display_name>];

   Copy

3. After registering the application, get the following information from your Azure Portal:

   • Server Name: The Fully Qualified Domain Name (FQDN) or IP address of the machine hosting the SQL Server instance.
   • Database Name: The name of the specific logical database catalog on the SQL Server instance that contains the tables or data you want to collect.
   • Port: The TCP/IP port number on which the SQL Server is listening for connections. The default port is 1433, but it is possible that your deployment runs on a non-standard port.
   • Tenant ID: The Directory (tenant) ID for your Azure instance.
   • Client ID: The Application (client) ID for your app registration.
   • Client Secret: The secret value you generated for your service principal.

Use that information to build a configuration object. SQL Server configuration objects that authenticate with a service principal use this syntax:

{
  "server":  "<your-server-name.database.windows.net>",
  "database": "<your-database-name>",
  "port": 1433,
  "authentication": {
    "type": "azure-active-directory-service-principal-secret",
    "options": {
      "tenantId": "<your-tenant-id>",
      "clientId": "<your-application-id>",
      "clientSecret": "<your-client-secret-value>"
    }
  },
  "options": {
    "encrypt": true,
    "trustServerCertificate": false
  }
}

Example:

{
  "server": "prod-sql-metrics.database.windows.net",
  "database": "Application_Telemetry",
  "port": 1433,
  "authentication": {
    "type": "azure-active-directory-service-principal-secret",
    "options": {
      "tenantId": "8e20f01a-1e4b-4c5d-b0a9-1f2a3c4d5e6f",
      "clientId": "1c3b5d7e-9f0a-2b3c-4d5e-6f7a8b9c0d1e",
      "clientSecret": "V3ryS3cr3tT0k3n@2025!"
    }
  },
  "options": {
    "encrypt": true,
    "trustServerCertificate": false
  }
}

A Database Connection for a SQL Server that authenticates with Windows Challenge/Response, also known as Microsoft New Technology LAN Manager (NTLM), requires this information:

• Username: A Windows Domain User Account that has the necessary permissions to read tables and run queries. As a best practice, ensure that this account follows the principle of least privilege and has the minimum permissions required by Cribl Stream.
• Password: The password associated with the specified Windows Domain User Account.
• Domain: The NetBIOS name (or sometimes the full FQDN) of the Windows Active Directory domain that hosts the specified Windows Domain User Account. This name is necessary for the NTLM protocol to locate the Domain Controller for authentication.
• Server: The hostname or IP address of the SQL Server instance.
• Port: SQL Server uses a default port of 1433, but you should confirm this with your database administrator. It is possible that your deployment has configured your SQL Server to run on a non-standard port.
• Database name: The specific name of the database (schema) on the server that contains the tables or data to collect.

Use that information to build a configuration object. SQL Server configuration objects that authenticate with NTLM use this syntax:

{
  "authentication": {
    "type": "ntlm",
    "options": {
      "userName": "username",
      "password": "password",
      "domain": "domain"
    }
  },
  "options": {
    "connectTimeout": 15000,
    "trustServerCertificate": true
  },
  "port": 1433,
  "server": "hostname",
  "database": "databasename"
}

Example:

{
  "authentication": {
    "type": "ntlm",
    "options": {
      "userName": "cribl_reader",
      "password": "W1ndowsP@ssw0rd!",
      "domain": "CORP"
    }
  },
  "options": {
    "connectTimeout": 15000,
    "trustServerCertificate": true
  },
  "port": 1433,
  "server": "sql-prod-02.corp.local",
  "database": "Finance_Audit"
}

An SQL Server that authenticates with Active Directory on Azure using a connection string requires this information:

• Transport Protocol: Include a prefix for Server=tcp at the beginning of your connection string to explicitly direct the client driver to use the TCP/IP network protocol when establishing the initial connection.
• Server: The hostname, IP address, or Fully Qualified Domain Name (FQDN) of the machine hosting the SQL Server instance. This is the network address that Cribl Stream uses to locate the database service over the network.
• Port: SQL uses a default port of 1433, but you should confirm this with your database administrator. It is possible that your deployment runs on a non-standard port.
• User ID: The database user account that has the necessary permissions to read tables and run queries. As a best practice, ensure that this account follows the principle of least privilege and has the minimum permissions required by Cribl Stream.
• Password: The password associated with the specified database user account.
• Encrypt: Enforces the use of SSL/TLS encryption for the entire connection channel.
• TrustServerCertificate: Determines whether to validate the server’s certificate against a trusted Certificate Authority (CA). Setting this to False is the secure best practice.
• Authentication: Set to Active Directory Password to direct the SQL Server driver to use the Azure Active Directory service to validate the User ID and Password instead of relying on traditional SQL Server logins.
• Database: The name of specific logical database catalog on the server that contains the tables or data you want to collect.

Use that information to build a connection string. Active Directory on Azure connection strings use this syntax:

Server=tcp:server.database.windows.net,1433;User ID=userName@domain.onmicrosoft.com;Password=pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Password";Database="database_name"

Example connection strings:

Server=tcp:sql-prod-pipeline.database.windows.net,1433;User ID=cribl_reader@enterprise.onmicrosoft.com;Password=P1peline$ecureK3y!;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Password";Database="Observability_Metrics"

Server=tcp:sql-staging-test.database.windows.net,1433;User ID=dev_collector@corp.onmicrosoft.com;Password=StagingT3stPa$$;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Password";Database="Telemetry_Dev"