Cribl Stream 3.5
2022-03-22 – Cribl Stream 3.5 – GA Release | Edge 3.5 release notes are here.
New Features
Our cutting-edge 3.5 release is the best thing since vintage 3.5mm headphone jacks and Windows NT 3.5, and we’re proud to announce that it includes the following new capabilities.
Leader High Availability
Requested by customers, failover to a backup Leader is now a reality. If your primary Leader goes down, the backup Leader will inherit its configs, state, and metrics – allowing Collectors and Collector-based Sources to continue ingesting data without interruption.
Notifications on Sources and Collectors
Notifications on Destination states and license expiration were a hit, so we’ve added a prequel. You can now set thresholds to trigger Notifications when Sources’ or Collectors’ data ingestion rate is abnormally high or low, or are receiving no data at all.
It’s Parquet
Two Sources (Amazon S3 and Azure Blob Storage) can now read Parquet-formatted files, and five Destinations can now write Parquet files: Amazon S3, Azure Blob Storage, Google Cloud Storage, MinIO, and Filesystem. This opens up Cribl Stream to Parquet’s potential for lower storage costs and higher query performance.
Syslog RFC-6587 Support
The Syslog Source and Destination now support both types of syslog RFC‑6587 event formats: non-transparent framing and octet-counting. This enables Cribl Stream to accept and break events from common upstream sources like Corelight and Fortinet.
Cribl HTTP and Cribl TCP Sources and Destinations
Four new Sources and Destinations – Cribl HTTP and Cribl TCP, on each side – are now available to route data between distributed Workers connected to the same Leader. In a hybrid Cloud deployment, these Sources ensure that you’re billed for ingress only once – when the data is originally received by Stream or Edge. From there, data transferred to peer Workers via these integrations does not charge against your license quota or credits.
Windows Event Logs Source
Cribl Edge (only) provides a new native Source to collect events via the Windows Event Log API. For details, see the Edge 3.5 release notes.
Cribl.Cloud Supports US East Region
Cribl.Cloud Organizations can now be created (upon signup) in the AWS US East/Virginia Region, as well as in US West/Oregon. Whether you need to manage data in the National Capital Region to reduce latency or transfer costs, or ensure compliance, or [REDACTED], you can now collocate your Leader and Cribl-managed Workers in the same AWS Region.
Cribl.Cloud Hybrid Workers Go Wild
Hybrid Workers managed by Cribl.Cloud Leaders can now take advantage of persistent queueing, Scripts, the Code Function, and the Filesystem Collector and Destination for read/write access to their hosts’ files.
Cribl.Cloud Ports Expansion
Cribl.Cloud now provides default ingestion ports for the commonly used Amazon Kinesis Firehose and Windows Event Forwarder Sources. These are available on Cribl-managed and hybrid Workers, freeing up more of your Organization’s ports 20000–20010 to configure for custom data types.
Packs Validation and Versioning
Cribl now manually validates Packs uploaded by community users to the Cribl Packs Dispensary™. This helps ensure that downloadable Packs are useful, legible, and contain only good stuff. For details, see Publishing a Pack.
Upon export, Packs’ default file names now automatically include the Pack’s version number.
UX/UI Improvements
As with each release, we’ve tweaked Cribl Stream’s UI in multiple small ways to enhance usability, predictability, and elegance.
Deprecated Source and Destination
The Cribl Stream Source and Cribl Stream Destination are now deprecated, and will be removed in a future release. Please switch your deployments to the new Cribl HTTP or Cribl TCP Source/Destination instead.
Corrections
This version includes the following corrections:
CRIBL-10255 Corrected Exec Source > Interval setting’s unintended override of cron schedules.
CRIBL-10082 The OpenTelemetry Destination no long drops aggregated integer metrics when sending to Prometheus.
CRIBL-9565 On TCP-based, load-balanced Destinations with persistent queueing enabled, corrected spurious error message
Attempted to flush previously flushed buffer token
.CRIBL-10223 Adding or removing Packs no longer deletes Pipelines when a Route filter’s regex contains an invalid character.
CRIBL-9235 Referencing a Pack in a Pipeline’s Chain Function no longer causes Functions within the Pack to throw errors.
CRIBL-10228, CRIBL-10229 The Worker Groups page now loads correctly after an upgrade, without throwing
failed to send policies to services
errors.CRIBL-9838 When updating an existing Worker with Server TLS enabled, the Script field now correctly sets up a
tls://
URL.CRIBL-10264 Corrected Live data capture with Leaders in GitOps read-only mode.
CRIBL-10601 Diagnostic bundles are now created in the correct
$CRIBL_HOME
and$CRIBL_INSTANCE_HOME
directories.CRIBL-8812 Improved messaging around bad Event Breakers.