Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›We know the old adage: All data is security-relevant. But at what cost? Many organizations are still trying to get their arms around existing data flows and tooling to say nothing of new apps and data sources coming into play as we continue to migrate to the cloud. Working to get a complete picture of their security environments, many CISOs are forced to make painful decisions between staying within budget and getting complete security event visibility.
By now, many security professionals are familiar with the ways in which Cribl is helping to maximize customers’ investment in their security analytics/security information and event management (SIEM) and observability tools. Cribl Stream gives QRadar admins choice and control over their data, routinely reducing data volumes by 35% or more.
While SIEM tools are a very important piece of a security portfolio, each tool approaches licensing differently. IBM QRadar and Splunk are the two most widely deployed SIEM solutions among major enterprises and government agencies today.
QRadar has the reputation of being a reliable SOC platform for threat detection and incident response built for large enterprises. QRadar has a large deployment base and an extensive set of service providers. However, QRadar has both a radically different architecture and licensing model than Splunk.
While Splunk leverages a well-known volume-based licensing model, QRadar is licensed based upon event count – Events Per Second (EPS). So how, if at all, can Stream optimize a customer’s use of QRadar?
QRadar’s Event Collector collects events from log sources and normalizes raw log source events to repurpose them into the proprietary log format required by QRadar (LEEF). The Event Collector provides some event optimization for customers by bundling or coalescing identical events before sending them to the QRadar Event Processor. The Event Collector is assigned to an EPS license that matches the Event Processor that it is connected to.
The processing rate for events is determined by your events per second (EPS) license. If you exceed the EPS rate, events are buffered and remain in the Event Collector source queues until the rate drops. However, if you continue to exceed the EPS license rate, and the queue fills up, your system drops events – and QRadar issues a warning about exceeding your licensed EPS rate.
QRadar is available as hardware virtual appliances and software, or as a cloud-SaaS model called QRadar on Cloud (QRoC). Both are licensed based on a customer’s event velocity (the EPS of data sources in scope). The cost relationship is straightforward and linear – the higher the EPS count, the higher the cost.
IBM QRadar’s architecture provides some built-in advantages for event reduction, with the de-duplication functionality within the Event Collection tier. However, QRadar also architects in some constraints.
QRadar still requires data to strictly adhere to its predefined schema prior to ingestion: Log Event Extended Format (LEEF), a customized event format for QRadar. As a result, you cannot reformat events, nor can you reduce the size of an event by removing null-value key-value pairs or headers, etc. The event format and size need to remain unaltered, or else the correlation rules within the QRadar Event Processor will simply break!
Additionally, the event reduction functionality with the QRadar Event Collectors is fairly rudimentary, limiting reduction to data deduplication and aggregation. No fine-grained controls are present for selecting which events to retain or drop. Practitioners have only the option of managing events at the endpoint, such as customizing WinCollect or firewall logging. That approach limits control and adds administrative burden since a typical enterprise could have tens of thousands of endpoints.
And of course, the QRadar Event Collectors can send data only to QRadar and only in LEEF format; the pipeline cannot provide another stream of data in a different format (i.e., JSON or syslog), nor to another system of retention or analysis (i.e., Elastic).
Stream is a universal event pipeline that gives you the flexibility to route, shape, restructure, and enrich data from any source to any destination without adding new infrastructure or agents. Stream is the best way to get multiple data formats into your analytics tools, including sending LEEF to QRadar. Use the Stream universal receiver to collect from any observability data source and to schedule batch collection from multiple APIs and data stores.
Stream can provide fine-grained control over what events are sent to the QRadar Event Processor, without breaking the expected LEEF format. With Stream, the QRadar administrator can choose to keep or drop events based upon limitless criteria. Stream gives administrators the control to decide which events are highly security-relevant and which events merely consume license and compute. For example, Stream empowers a user to reduce event count by dropping, sampling, and/or suppressing events.
With each of these methods, the administrator specifies the matching criteria to be used – meta-information such as hostname, source, sourcetype, or log level – in combination with content extracted from the events themselves. LogStream gives QRadar admins the ability to be independent, by controlling what events are being sent to the QRadar event processor. How great is that?!
One global real estate firm recently deployed LogStream to feed QRadar, and achieved a >50% reduction of events (EPS), without losing any security-relevant events (as defined by their security team).
Do you want to learn how you can reduce EPS for QRadar and gain control over your data? It’s easy to get started on using LogStream to route and reduce your events, by signing up for Cribl.Cloud and instantly provisioning an instance of Stream Cloud. Once connected to data sources, you can process up to 1TB per day for free!
If you have questions, sign up for our Community Slack. If you just want to test the waters of Stream, head on over to the Stream Sandbox to try a full version in the cloud with sample data.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?