Crib LogStream - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.1

    Docs Home

v1.5 Release

10 months ago by dritan bitincka

2019-04-01 - Cribl LogStream v1.5 is now available.

What's New

- Support for Syslog Sources

  • Added capabilities to accept data streams from Syslog sources.
  • TCP/UDP and RFC3164/RFC5424 are supported.

- Support for Splunk UF Sources

  • Added capabilities to accept data streams directly from Splunk Universal Forwarders.

- Event/Stream Breaking and Timestamping

  • Added support for breaking data streams into events using Rulesets and Rules
  • Added support for timestamping newly broken events using Rulesets and Rules.
  • Added support for adding fields to events while in breaking stage.
  • Added out-of-the-box event breakers for the following sources:
    AWS: ALB, ELB, VPC Flow Logs, CloudFront
    Palo Alto: Traffic, Threat, System and Config
    Cisco: ASA, FWSM, E-Streamer
    Bro: Bro Logs (Zeek)
    Apache Access: Combined and Common Log Formats

- Azure Blob Store

  • Added capability to write data out to Azure Blob Store directly using arbitrary data partition expression. JSON and RAW output formats are both supported.

- Azure Event Hub

- Support for Confluent Schema Registry

  • Added support for reading AVRO encoded data out of Kafka using schema in Confluent's Schema Registry.
  • Added support for writing data to Kafka using schema stored in Confluent's Schema Registry.

- CEF Format

Added support for serializing/formatting and sending events out in CEF standard.

- Dynamic Sampling Function

  • Added a function that dynamically and automatically adapts sampling rate based on volume. Logarithmic and Square Root modes are supported.

Other Improvements or Changes

  • Added support for sending Cribl Internal logs down the Routes/Pipelines for troubleshooting using systems downstream.
  • Added support for restarts from within the management UI.
  • Added support for real-time polling of status endpoint for enhanced visibility.
  • Improved Mask function to support wildcarded list of fields.
  • Improved Regex Extract function to extract both keys and values. (_NAME_0, _VALUE_0)
  • Added heuristics to improve timestamp recognition capabilities.
  • Shipped a new license that expires on July 31, 2019.
  • General UX improvements and Fixes

Added Cribl Standalone CLI utilities

  • $CRIBL_HOME/bin/{start|stop|restart|status} [--force]`
  • Added init.d script for starting on boot.