On This Page

Home /Cribl Stream 4.18.0

Cribl Stream 4.18.0 (Coming Soon)

PRODUCTDATERELEASEADDITIONAL RESOURCES
Stream2026-05-20FeatureKnown Issues, Cribl Edge Release Notes

The following draft provides early access to release notes for the upcoming Cribl Suite product release. Features or functionality described are not considered binding commitments and are subject to change at the discretion of Cribl at any time for any reason without notice. This information should not be relied upon in making purchasing decisions.

Cribl Stream 4.18.0 includes significant performance improvements, new capabilities, and important bug fixes.

Important Changes

Breaking Changes to Sensitive Information in API Responses

API responses for the following endpoints no longer include sensitive information in plaintext:

  • /system/settings
  • /system/settings/auth
  • /lib/database-connections

This affects passwords and password-equivalent attributes such as bindCredentials and client_secret. The values for these attributes are omitted or masked in responses.

What you need to do: Update any automation or scripts that depend on reading these plaintext values from the API responses for these endpoints.

Deprecation Notice: Disable Node Persistence

The Disable Node persistence setting is deprecated and will be removed in the upcoming 4.19.0 release. Node information is persisted by default. Use the Worker Group/Fleet-level Time to keep disconnected Nodes setting to control how long Nodes are tracked.

New Features

This release provides the following improvements:

Provisioning Tokens

Admins can now replace the single shared global auth token with multiple provisioning tokens. Push a new token to Worker and Edge Nodes individually or in batches without downtime, then revoke the old one once Nodes have migrated. Token usage is visible in the UI so you can track adoption and detect stale Nodes.

Custom AI Provider Enhancements

AI provider setup now includes a new 3-step wizard, support for LiteLLM and OpenAI-compatible endpoints, and Model Tier assignments (Small, Frontier, Reasoning). You can test model connections before saving and manage providers directly from the AI Settings dashboard.

MCP Integrations for Cribl AI

Cribl AI now supports external Model Context Protocol (MCP) servers, enabling AI agents to access third-party tools during conversations. You can connect external servers via endpoint URLs, with full support for authentication headers and external providers using API keys. All credentials are encrypted at rest.

Cribl Copilot Chatbot Toggle

Admins can now enable or disable the Cribl Copilot chatbot widget independently of other Cribl AI features. This allows you to hide the chat interface without impacting broader AI functionality. The toggle is enabled by default for consented deployments, preserving existing behavior upon upgrade.

Copilot Editor: Streamlined Pipeline Generation and Schema Support

Copilot Editor now automatically generates pipelines once sample data and a target schema are provided, displaying output events directly in the chat and removing the previous intermediate plan review step. The editor now also maps nested objects within custom schemas correctly, resolving previous formatting issues for sub-level OCSF types such as file metadata, network observables, and cryptographic hashes.

REST Collector Interactive Debug Mode

The REST Collector now includes an interactive debug mode that captures full HTTP request and response details for the authentication, discovery, and collection phases, simplifying troubleshooting of complex REST API integrations.

Azure Event Hubs AMQP Source

A new Azure Event Hubs AMQP Source ingests events via Event Hubs’ native AMQP protocol.

Okta Source

A new Okta Source enables Cribl Stream to collect Okta system logs using the Okta Management API.

OpenAI Compliance Logs Source

A new OpenAI Compliance Logs Platform Source enables organizations using ChatGPT Enterprise to collect compliance and observability logs for use in eDiscovery, DLP, and SIEM workflows.

Anthropic Compliance API Source

A new Anthropic Compliance API Source allows Cribl Stream to collect compliance data from Anthropic’s Enterprise Compliance API, enabling organizations to route AI usage and audit data into their security and observability pipelines.

ServiceNow Table API Source

A new ServiceNow Source allows Cribl Stream to selectively ingest records from ServiceNow’s Table API, giving security and IT operations teams direct access to any ServiceNow table.

Cribl Guard Detection Analysis and Model Selection

Cribl Guard can now use agentic Guard to analyze detections and propose recommended mitigation solutions, helping you review and understand detections more quickly.

We are also introducing a family of Cribl privacy models, and adding performance improvements to the previous AI model. You get to choose the background detection model that best fits your environment. Find the options in Guard > AI Settings.

We’ve also improved Guard Pipeline behavior for protections that you add manually in a Pipeline.

New S3-Compatible Destinations

Cribl Stream can now send data directly to the following platforms via their S3-compatible APIs:

AlphaSOC: Send data to AlphaSOC’s threat intelligence platform.

Cloudian: Support for Cloudian HyperStore object storage.

Dell PowerScale OneFS: Support for Dell EMC PowerScale (formerly Isilon) object storage.

Nutanix Objects: Support for Nutanix Objects storage.

Scality: Support for Scality RING or ARTESCA.

Storj: Send data to Storj decentralized cloud storage.

App Platform (Preview)

Use the new App Platform (Preview) to build and run custom apps in Cribl. Apps are packaged UI experiences that call Cribl and third-party APIs, letting you create tailored workflows and front-end experiences that go beyond the built-in product surfaces.

Experience Improvements

  • Improved safeguards against infinite loops and runaway recursions in the Code Function. The Code Function now enforces a maximum limit on the total number of iterations and function calls allowed per event. Once the limit is reached, the Code Function stops processing whatever follows the statement that exhausted the allowed maximum.
  • When you open a Route inside a Pack, the Data Preview pane now includes a Full Preview tab. This works like the global Full Preview, but the Entry Point and Exit Point controls are limited to resources defined in that Pack, making it easier to validate end-to-end Pack behavior without leaving the Pack context.
  • The JSON Array Event Breaker now includes the option to remove fields immediately after event breaking. This is useful for reducing data volume by removing fields that are no longer needed once a large array is split, such as the original __raw field or parent metadata.
  • You can now specify the maximum number of rotated log files to include per log type when creating a diagnostic bundle, using Max log files per type in the UI or the -l argument for ./cribl diag create in the CLI.
  • In Cribl.Cloud, users with IAM Admin access on Organizations can now manage Connected Environments.
  • The internal __output field no longer appears in Data Preview or when you loop over all fields in an event using JavaScript in a Pipeline.
  • The Persistent Queue (PQ) Monitoring view now includes Events Committed and Bytes Committed metrics to provide a definitive count for successful data delivery. These metrics only increment once data is confirmed as successfully flushed and delivered, allowing you to distinguish between attempted sends and verified throughput. Navigate to Monitoring > System > Queues (Sources) to access this view.
  • The Worker/Edge Node GUID is now exposed in Pipeline metadata and can be referenced in Functions.
  • The bootstrap installation script now supports SHA-256 verification in addition to MD5.
  • A new Number of connection listener processes setting in Outpost Group configuration lets you define the number of connection processes for Outpost Nodes.
  • In the Sample Files Actions menu, the previous Copy to Fleets/Packs option is now split into separate Copy to Fleet and Copy to Pack actions.
  • A new Buffer size limit (bytes) setting is now available for Source and Destination persistent queues. The Buffer size limit (events) setting for Source persistent queues and the Backpressure duration limit for Destination persistent queues are deprecated in favor of this new byte-based setting, which provides more predictable memory management during backpressure. The legacy event-based setting will be fully removed in version 4.19.1. On upgraded Worker Groups and Fleets, the new byte-based limit defaults to 64 KB. Update your configurations to the new byte-based limit to ensure optimal memory stability.
  • Node.js used by Cribl Stream and Cribl Edge has been upgraded from version 22.17.1 to 22.22.2 to incorporate upstream security fixes.

Sources and Destinations

  • The OpenTelemetry Destination now supports dynamic metadata for the gRPC protocol, allowing outbound metadata values to be derived from fields within the inbound event at processing time.
  • The OpenTelemetry Destination now supports OAuth2 Client Credentials authentication when using the HTTP protocol, enabling integration with endpoints that require this OAuth2 flow.
  • Updated the Wiz Destination to use Wiz’s v3 ingestion endpoint, improving compatibility with larger payloads and aligning the integration with Wiz’s latest guidance.
  • The Wiz Defend Destination now includes additional Wiz Source Type options in the dropdown, including AWS VPC Flow Logs, AWS Resolver Query Logs, and OCI Audit Logs.
  • The ClickHouse Destination now supports a higher Body Size Limit for write batches, allowing configurations up to 25 MB (increased from 10 MB).
  • The Google Cloud Pub/Sub Destination now maps an event’s __attributes field to native Pub/Sub message attributes on publish, allowing you to attach envelope-level metadata (such as agency_name, src_host, s_ts, and r_ts) without changing the message body format. This makes it easier to match existing Pub/Sub patterns and integrate with downstream consumers that rely on attributes for routing and policy enforcement.
  • Prometheus Remote Write integrations now use the v2 parser by default for on-prem deployments.
  • Event breakers for File Monitor have been enhanced to persist state across restarts, preventing files with custom header-based breakers and stateful breakers (such as multiline .csv files) from breaking incorrectly.
  • Journal Files Sources have a new Suppress errors when search path does not exist option to suppress errors when a non-existent path is configured.
  • The Prometheus Scraper Source now supports HTTP-based service discovery, allowing you to pull scrape targets dynamically from an internal REST API that implements Prometheus HTTP SD.
  • The new Use field per metric setting in the Prometheus Scraper Source lets you output metrics in the same format as other metric Sources.
  • Updated the Datadog Agent Source to support ZSTD-compressed logs, aligning with Datadog Agent 7.67.0 and later, where ZSTD is the default compression format.
  • The OpenTelemetry Source (HTTP) now supports the configuration of multiple authentication tokens.
  • The Wiz API Source now supports additional content types (Detections, Application Endpoints, and Cloud Resources V2) so you can ingest more Wiz security data directly into your pipelines.
  • The Wiz API Source now supports configurable event breakers, allowing you to clone and customize the default Wiz ruleset to choose which time field drives incremental collection.
  • The Microsoft Graph Source now supports state tracking using Graph delta queries, so supported endpoints can resume from a checkpoint instead of re-reading all data on each run.

Packs

Expanded Pack Variables

Pack variables now provide greater flexibility and portability. You can use variables within simple arrays and across an expanded set of fields in Collectors, Sources, and Destinations, allowing you to templatize almost any field configuration so Packs can adapt to different environments without manual intervention.

Pack Notifications for Sources and Destinations

You can now configure and manage Notifications for Sources and Destinations directly within the Pack context. This allows Pack developers to bundle alerting logic alongside data processing configurations.

Corrections

This release contains the following bug fixes:

Security Fixes

IDDescription
CRIBL-35267
better-sqlite3 updated to version 12.2.0 to include the latest security updates.

To learn more about Cribl’s Security Program, please join us in #security in Cribl Community. Inquiries to Cribl’s Security Team may also be sent to security@cribl.io.

Operational Fixes

IDDescription
CRIBL-19166
Fixed an issue where the Redis Function could not resolve C.vars variables from Pack context, causing connections to be attempted against redis://undefined:6379 and repeatedly fail. The function now correctly evaluates Pack-level variables in the Redis URL so Pack-based pipelines can connect to Redis as configured.
CRIBL-29894Fixed an issue where HTTP-based Destinations with persistent queueing (PQ) enabled could underreport output bytes when events no longer included the _raw field.
CRIBL-38596Fixed an issue where the IBAN regex in the Regex Library did not correctly match Kazakhstan and Romania IBANs, and corrected the sample German IBAN.
CRIBL-39185Fixed an issue where the Clear Persistent Queue action could fail on hybrid deployments, even when the configured persistent queue path was valid and the queue was operating normally.
CRIBL-39549Fixed an issue where the Fold Keys Function could enter an infinite loop when processing events with circular references.
CRIBL-39698Fixed an issue where the Billing & Usage page link on Monitoring > System > Licensing returned a 404 for on-premises, cloud-connected Leaders.
CRIBL-40136Fixed an issue with the install-worker.sh script where a curl output format change caused incorrect reporting and handling of bootstrap failures.
CRIBL-40139Fixed an issue where an S2S Source inside a Pack could ignore the Pack’s configured Event Breakers and use the fallback Event Breaker instead.
CRIBL-40418Fixed an issue where changes to Groups, Fleets, or Pipelines named core could fail to commit.

Source and Destination Fixes

IDDescription
CRIBL-39385
Fixed an issue where Syslog Sources configured with TLS mutual authentication did not log client certificate details at debug level, making it difficult to validate certificate-based authentication. Syslog now logs peer certificate information in debug logs.
CRIBL-39475Fixed an error where the File Monitor would fail to delete ZIP files after processing them.
CRIBL-39986Fixed an issue where APM traces sent through the Datadog Destination could arrive in Datadog but not be indexed due to sampling priority and target TPS settings.
CRIBL-39928Fixed an issue where an unresponsive HTTP destination could cause delivery to stall until the Worker was restarted after timed-out requests filled all available delivery slots. Timed-out requests now properly release their socket so retries can continue and delivery resumes when the destination becomes responsive again.

Other Functional Fixes

IDDescription
PLAT-11363
In Cribl.Cloud, the Cribl.Cloud Role/Permission list at Organization > SSO Management > Organization-Level Mappings now includes IAM Admin and Billing Reader.

SDK Changelogs

The Cribl SDKs help you integrate with Cribl and reduce the need for repetitive tasks. We maintain changelogs for each version of the Cribl SDKs in their GitHub repositories: