Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›Ed Bailey is a passionate engineering advocate with more than 20 years of experience in i... Read Morenstrumenting a wide variety of applications, operating systems and hardware for operations and security observability. He has spent his career working to empower users with the ability to understand their technical environment and make the right data backed decisions quickly. Read Less
When architects and engineers make a decision to adopt a new operational and security analytics platform, such as Exabeam SIEM and UEBA, they know they are either buying into the vendor’s ecosystem or they are going to spend a ton of time building custom integrations. More often than not, they buy the vendor with the biggest ecosystem since they don’t have the time to build and support endless integrations. Building and owning all the integrations are just not worth the engineering time. It is an old story, but with Cribl Stream customers now have the option to integrate the tools they want into their environment and are not limited by time-consuming integration challenges.
Stream makes the concept of the observability pipeline a reality that removes barriers to integration between tools.
An observability team can pick and choose best-of-breed tools. They can choose:
Stream is the glue that ties these products together as an effective cohesive solution with minimal engineering time spent on maintaining integrations. All the benefits of best of breed without the risk and time commitment of owning tool integration.
In my past life at Transunion, I owned Splunk to support operations and security observability. The security team proposed installing Exabeam UEBA solution alongside Splunk Enterprise to get a better UEBA solution than Splunk offered. I was very concerned since Exabeam was not in the Splunk ecosystem. Both tools need the same data, but how do we share the data given:
I was very concerned about how we could achieve integration without impacting our overall observability solution.
Cribl Stream was the best option because not only did it make integrating Exabeam UEBA into our stack easy, but it de-risked adding a new tool to our observability stack. We could change the data feed into Exabeam UEBA at any time with no impact to Splunk. Stream removed Splunk as a dependency in the implementation. The implementation timeline went from months to weeks using Stream.
Cribl Stream sits in between your data sources and destinations. For a Splunk shop, it would take feeds from the Splunk UFs and the rest of the environment and then pass that data to Splunk. When adding Exabeam to the data flow you would use:
The route is using 2 sourcetypes to create the filter, you can easily add more sourcetypes to the below filter as your UEBA program expands.
sourcetype=='XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' ||
sourcetype=='XmlWinEventLog:Microsoft-Windows-Security'
The filter directs a copy of the data to the Exabeam processing pipeline and then to the Exabeam Destination. The event stream then continues down to the next route. Since the Exabeam route is cloning the data stream nothing is lost by sending data to Exabeam.
The Exabeam processing pipeline is where you make format changes so your data matches the default Exabeam parsers for Windows. Transforming your data to match Exabeam’s default parsers will shorten your development cycle and get your Exabeam toolset into production faster. Splunk’s Windows Classic data contains an extra space that Exabeam’s parser is not expecting. Your Exabeam pipeline needs a single regex pattern that will remove the extra space and enable smooth data processing.
Exabeam Cloud uses a platform called a site collector to capture data. Its default ingest method is port 514 and uses syslog for most data feeds. Use the default syslog destination in Stream to push data to your Exabeam Site Collectors. Consult Exabeam support if you need to push JSON formatted data to Exabeam Cloud since it requires a slightly different approach where you need to update your site collector configuration.
I would highly recommend adding data sources one by one while working closely with your Exabeam administrator to validate data and make sure the Exabeam parser works correctly. In addition, Exabeam’s machine learning can take up to 2 weeks to create a baseline so be prepared to make changes after initial onboarding. You will have to be patent as you validate each data source is working correctly.
With a few lines of code, you can get the right data to Exabeam without impacting your existing logging solution. Your security stack improves without the risk of major disruption normally associated with installing a UEBA or SIEM platform. Your observability team is not overwhelmed with work either. Cribl LogStream enables significant technology like Exabeam UEBA with less effort and risk than otherwise possible.
Try Cribl’s free, hosted LogStream Sandbox. I’d love to hear your feedback; after you run through the sandbox, connect with me on LinkedIn, or join our community Slack and let’s talk about your experience!
The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?