Cribl LogStream 1.6: Logs to Metrics (Prometheus, Statsd, Graphite, Splunk Metrics)

Very early on in my career, I worked for AT&T Wireless, before it became Cingular and then AT&T Wireless again. As a young engineer, I remember running across various technical situations I couldn't explain. Why can't we connect this network to that one if there is a legitimate business need? Why must we always allocate … Continue reading Cribl LogStream 1.6: Logs to Metrics (Prometheus, Statsd, Graphite, Splunk Metrics)

Getting Smart and Practical With Dynamic Sampling

In the past we've written multiple posts about how Cribl helps you maintain visibility in high-volume/low-value scenarios without having to egregiously scale your analytics infrastructure. This problem usually stems from the fact that machine data emitted by your infrastructure is not all created equal. Some events are way less valuable than others but yet they consume … Continue reading Getting Smart and Practical With Dynamic Sampling

Streaming Data Deduplication with Cribl

The Problem It's not uncommon for machine data systems to send and receive duplicate or repeated events. This could be due to a variety of reasons, for example; Misconfiguration (a.k.a layer-8 problems) on the source, intermediary or aggregation systems may cause duplicate data to be sent out. Bugs or software defects may cause a data source to occasionally … Continue reading Streaming Data Deduplication with Cribl

Helping Threat Hunters While Staying Compliant: Categorizing and Scoring AWS CloudTrail Events in Real-Time

AWS CloudTrail is a service that "enables governance, compliance, operational auditing, and risk auditing of your AWS account." It continuously monitors accounts and it is one of the most valuable and probably the best data source for security analysis in AWS. Security and Operations teams love Cloudtrail because of the added visibility into user and resource … Continue reading Helping Threat Hunters While Staying Compliant: Categorizing and Scoring AWS CloudTrail Events in Real-Time

Cribl LogStream 1.5: Now Supporting Splunk Universal Forwarder and Syslog

Normally I prefer to write a wittier headline for a release announcement, especially for a release this important. Three things are holding me back, however: a) I really want you to know we support the Universal Forwarder and Syslog, b) length of headline, c) it's April Fucking 1st, and it's possible this is so cool … Continue reading Cribl LogStream 1.5: Now Supporting Splunk Universal Forwarder and Syslog

Context is King: Turning Ugly Logs into Rich Structured Events

Logs themselves often do not contain the necessary information in themselves to point an investigator in the right direction. Let's say I'm troubleshooting a performance issue with my application. I may want to dig through all kinds of data sources, like proxy logs, web access logs or custom instrumentation. But, in these data sources, proxy … Continue reading Context is King: Turning Ugly Logs into Rich Structured Events