v.4.9 Release

Double, double, toil and trouble; Cribl Stream 4.9 is ready to rumble! This October, we’re conjuring up some powerful new features and improvements.

CentOS 7 Deprecation

​

We’ve deprecated support for CentOS 7 on the Cribl Stream Leader and Worker Nodes. We will remove full support for CentOS 7 in a future release. To ensure the security and stability of your Cribl Stream deployment, we recommend that you migrate to an operating system that will continue to receive security updates and patches. Please visit the CentOS website for migration information.

New Features

​

This release provides the following improvements:

New Destinations

​

We now support Destinations for ClickHouse, Dynatrace HTTP (logs only), and Dynatrace OpenTelemetry Protocol (OTLP); giving you more choices for handling your logs, traces, metrics, and more.

New Source

​

With the new Amazon Security Lake Source, you can transform, trim, or shape incoming data from Amazon Security Lake and then send it to a downstream Destination, such as your preferred security analytics tool. This Source supports receiving Amazon Simple Queue Service (SQS) data from Amazon Security Lake event subscriptions.

Worker Groups Across AWS Regions

​

In Cribl.Cloud, you can now create Cribl-managed Worker Groups in different AWS regions. You are no longer limited to the region where the Organization Leader resides.

New Navigation Experience

​

We’ve streamlined your UI navigation experience across all Cribl products! The UI changes that have been opt-in for Enterprise customers since release 4.5 are now the default for all users. This preview period allowed us to incorporate your feedback and optimize the layout. The main change you’ll notice is that we’ve decluttered the top of your browser, consolidating most navigation in a collapsible left sidebar. This sidebar is context-sensitive, enabling you to access product-specific options, as well as Global Settings.

New Leader Limits Settings

​

We’ve introduced new KV Store limit settings to alleviate high CPU usage from the API process on the Leader Node.

Functional Improvements

​

We introduced the following functional changes to Cribl Stream:

Cribl.Cloud

​

• In Cribl.Cloud, you can now create API credentials for each individual Workspace. This gives you more precise control over Workspace management and lets you control Products programmatically. For each Workspace, you can define a Workspace permission and, if relevant, product-level permissions.

• An Admin user now has full permissions for all products, and can execute Leader commits and modify Global Settings.

• Persistent queue (PQ) support is now available for Cribl managed Cloud Worker Groups hosted on Azure, which helps prevent data loss when a receiver is unreachable.

• You can now provision Cribl-managed Stream Worker Groups in any region under a single workspace. This is available for both AWS and Azure, providing the ability to locate Worker Groups within the region where your data is being processed and routed.

User Experience Updates

​

• We’ve added support for vertical scrolling on the Cribl login page to better support display-related requirements.

• You can now reuse your preceding commit message by selecting Use Previous Commit Message in the Git Commit Changes modal.

• The user interface has new icons to better denote fields expecting JavaScript or regular expression format.

Sources and Destinations

​

General Integrations Improvements

​

• Sources and Destinations now support optional description fields.

• When Cribl Stream encounters an invalid octet count (per RFC 6587) while parsing an octet-counted stream of TCP syslog messages, it will now emit the events preceding the invalid count and close the socket connection. This reduces CPU and memory usage since Cribl Stream is not leaving the socket open.

• You can now use the Cribl command-line interface to disable the Script Collector in your entire Cribl Stream deployment. Running this command removes the Script Collector from all current Worker Nodes and applies this configuration to any new Worker Nodes you create.

Improvements to Sources and Collectors

​

• The Splunk HEC Source authentication tokens interface now has a more user-friendly display. You can expand or collapse authentication token details to view either a more detailed or compact version of the token details as needed.

• We’ve updated the REST Collector for a more intuitive and streamlined configuration experience.

• The REST Collector now supports pagination when configured for HTTP Discover. The pagination options are identical to the Collect step.

• The Amazon S3 Source can now receive Amazon Simple Queue Service (SQS) data from Amazon Security Lake event subscriptions in addition to S3 SQS event notifications.

• The Splunk TCP and Splunk HEC (S2S v4) Sources now include an Extract metrics setting to ensure that Splunk-generated metric events are correctly identified and processed as Cribl metrics, maintaining their metric nature when forwarded.

Improvements to Destinations

​

• Destinations now have the additional persistent queue modes Always On and Backpressure. These modes allow you to choose how Cribl Stream writes data to disk during a backpressure event.

• To provide better error handling and data recovery for Filesystem-based Destinations, we’ve added a new dead-lettering feature. Cribl Stream disables this feature by default. Dead-lettering allows you to configure where Cribl Stream will store failed files, and how many times it will retry the file before considering it “dead”. Stream will move failed files to the specified location after exceeding the retry limit.

• Filesystem-based Destinations now provide a Disk space protection setting allowing you to either block or drop incoming events when the disk space falls below the globally defined Min free disk space amount.

Corrections

​

We made the following fixes in this release:

Operational Fixes

​

Source and Destination Fixes

​