v.4.13.1 Release

PRODUCTDATERELEASEADDITIONAL RESOURCES
Stream2025-08-13MaintenanceKnown Issues, Cribl Edge Release Notes

Cribl Stream 4.13.1 delivers crucial operational improvements, enhanced stability, and important bug fixes.

Important Changes

Upgrade Advisory for S3 Destinations Targeting Buckets with Object Lock

In this release, we have upgraded our internal AWS SDK for JavaScript from v2 to v3 to address the upcoming end of support for v2 by AWS.

  • If you use the Amazon S3 Destination with S3 Object Lock: DO NOT UPGRADE to version 4.13.1. The Amazon S3 Destination will fail when configured to send data to an S3 bucket with default Object Lock enabled. Please wait for the upcoming patch release. See the Known Issue for details.
  • If you DO NOT use the S3 Object Lock feature: You can safely upgrade to this version to ensure your software supply chain contains the fully supported AWS SDK v3.

Sources and Destinations

  • The Confluent Cloud and Kafka Sources and Destinations now support JSON schema types for message encoding and decoding via the Confluent Schema Registry. A new Schema type setting allows you to select either Avro or JSON for event serialization.

  • The Grafana and Loki Sources and Destinations now support structured metadata for logs. Toggle on the new Enable structured metadata setting to add string key-value pairs from the internal __structuredMetadata field, allowing you to enrich events with high-cardinality context (like trace IDs) without inflating label sets.

  • The Loki Destination now supports dynamic HTTP headers. The Destination inspects each event for a __headers object and batches events with identical __headers values, sending them in a single HTTP request. This allows for per-event custom headers, supporting use cases like multi-tenant routing and dynamic authentication.

  • The Google Cloud Pub/Sub Source now supports monitoring existing subscriptions using only the subscription ID. Enable the new Monitor subscription for new messages toggle when only subscription-level access is available.

Packs

We added more REST Collector Packs to the Cribl Packs Dispensary for CrowdStrike, Okta, and Microsoft O365.

Corrections

This release contains the following bug fixes:

Operational Fixes

IDDescription
CRIBL-33815
Fixed an issue where sorting Packs by Display Name in the UI did not work as expected. Packs now sort correctly by Display Name.
CRIBL-33362Resolved an issue in the Flows chart on the Monitoring page where the pre-processing Pipeline’s bytes metric incorrectly mirrored the last active route’s value. The pre-processing Pipeline now accurately displays the bytes received directly from the Source.
CRIBL-29531Fixed an issue where Syslog Sources configured with only TCP ports or UDP (but not both) did not appear in the Flows chart on the Monitoring page. All Syslog Source configurations now correctly display in the graph, providing a complete view of your data flows.
CRIBL-30721Fixed a UI issue in the Parser Function where the Destination field option was missing for Regex and Grok types. The Destination field is now consistently available for all Parser Function data types.
CRIBL-33597Fixed the confusing UI output in the Event Breaker Preview. The Event Breaker output preview now shows all events that were broken out by the rule, including events that don’t match the filter. Events that don’t match the filter appear with a strike-through them.
CRIBL-32737Fixed a misleading UI issue in the Event Breaker Rules preview where the timestamp highlight disappeared when using a non-local timezone and the %H format. The timestamp now applies correct highlighting, ensuring accurate visual feedback during configuration.
CRIBL-31765Fixed an issue in our Git commit process to more securely attribute commit messages to the correct user.
CRIBL-33777Fixed an issue that prevented Packs from importing configurations with load-balanced Sources or Destinations when running a Single-instance deployment for Cribl Stream.
CRIBL-34479Fixed a regression that prevented the HashiCorp Vault KMS (Key Management Service) from functioning correctly. This fix restores it to its expected behavior, allowing you to once again use HashiCorp Vault for key management.

Source and Destination Fixes

IDDescription
CRIBL-30022
Fixed an issue where the File Monitor Source would intermittently mix up the source/headers of events from two CSV files created sequentially.
CRIBL-32559The HTTP Source now completes TLS handshakes when Show originating IP is enabled. Previously, this setting would cause the handshake to fail, preventing secure connections.
CRIBL-33157The Google Security Operations Destination now reliably refreshes its authentication token on all Worker Processes. Previously, some Workers could stop refreshing the token, resulting in expired tokens and loss of data delivery. Affected Workers would repeatedly log “Auth token has expired” without a corresponding “Auth token refreshed” entry.
CRIBL-32338Collector configuration pages now include default regex filter expressions based on the Collector ID, to help reduce errors in Route filters.
CRIBL-34334We fixed an issue where some events were excluded from the Preview results when the preview included a collection job that finished quickly.
CRIBL-34053Amazon CloudWatch Logs Destination now correctly handles Worker Node restarts when configured with a static log stream name. Previously, after upgrading to version 4.13, Worker Nodes would attempt to create the same log stream on startup, triggering a ResourceAlreadyExistsException error with the message “The specified log stream already exists,” causing data delivery failures.
CRIBL-32751The Google Cloud Pub/Sub Source now handles invalid or empty Topic ID configurations. Previously, this caused the Source to repeatedly attempt connections, leak sockets, and generate repeated Error listing topic permissions messages in logs.
CRIBL-33471Azure Blob Sources and Destinations now support authentication with Client secret or Certificate when an HTTP proxy is configured.
CRIBL-33117The REST Collector now correctly honors the Reject unauthorized certificates setting when a proxy is configured with a NO_PROXY list.

Other Functional Fixes

IDDescription
CRIBL-33595
You can now sort by connection status in Edge Nodes and Workers lists.
CRIBL-33511We fixed a problem in which a user with the User Worker Group permission and the Editor Project permission could not copy a Pipeline.