Very early on in my career, I worked for AT&T Wireless, before it became Cingular and then AT&T Wireless again. As a young engineer, I remember running across various technical situations I couldn't explain. Why can't we connect this network to that one if there is a legitimate business need? Why must we always allocate … Continue reading Cribl LogStream 1.6: Logs to Metrics (Prometheus, Statsd, Graphite, Splunk Metrics)
Getting Smart and Practical With Dynamic Sampling
In the past we've written multiple posts about how Cribl helps you maintain visibility in high-volume/low-value scenarios without having to egregiously scale your analytics infrastructure. This problem usually stems from the fact that machine data emitted by your infrastructure is not all created equal. Some events are way less valuable than others but yet they consume … Continue reading Getting Smart and Practical With Dynamic Sampling
Streaming Data Deduplication with Cribl
The Problem It's not uncommon for machine data systems to send and receive duplicate or repeated events. This could be due to a variety of reasons, for example; Misconfiguration (a.k.a layer-8 problems) on the source, intermediary or aggregation systems may cause duplicate data to be sent out. Bugs or software defects may cause a data source to occasionally … Continue reading Streaming Data Deduplication with Cribl
Trimming Unnecessary Fields from Logs
The author of a log has very different motivations from the consumer of that same log. For the author, they must conceive of all the use cases this data may be useful for and include information which will be relevant both now and in the future. The author must ask a number of important questions … Continue reading Trimming Unnecessary Fields from Logs
Helping Threat Hunters While Staying Compliant: Categorizing and Scoring AWS CloudTrail Events in Real-Time
AWS CloudTrail is a service that "enables governance, compliance, operational auditing, and risk auditing of your AWS account." It continuously monitors accounts and it is one of the most valuable and probably the best data source for security analysis in AWS. Security and Operations teams love Cloudtrail because of the added visibility into user and resource … Continue reading Helping Threat Hunters While Staying Compliant: Categorizing and Scoring AWS CloudTrail Events in Real-Time
Cribl LogStream 1.5: Now Supporting Splunk Universal Forwarder and Syslog
Normally I prefer to write a wittier headline for a release announcement, especially for a release this important. Three things are holding me back, however: a) I really want you to know we support the Universal Forwarder and Syslog, b) length of headline, c) it's April Fucking 1st, and it's possible this is so cool … Continue reading Cribl LogStream 1.5: Now Supporting Splunk Universal Forwarder and Syslog
Context is King: Turning Ugly Logs into Rich Structured Events
Logs themselves often do not contain the necessary information in themselves to point an investigator in the right direction. Let's say I'm troubleshooting a performance issue with my application. I may want to dig through all kinds of data sources, like proxy logs, web access logs or custom instrumentation. But, in these data sources, proxy … Continue reading Context is King: Turning Ugly Logs into Rich Structured Events
