Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›Organizations leverage many different cybersecurity and observability tools for different departments. It’s common to see the IT department using Splunk Enterprise, while the SOC uses Exabeam. These tools use separate agents, each feeding different data to their destinations. Normally, this isn’t a problem unless you’re talking about domain controllers. Domain controllers only allow a single agent, meaning you can’t feed two platforms with data. How do you get around this limitation and send security logs to Exabeam while still sending the right data to Splunk? In this scenario we’ll explore below, a customer has Splunk Universal Forwarders (UFs) installed on the Domain Controllers, sending classic event logs to Exabeam. These classic logs embed new lines and special characters, and these break Exabeam’s parser. We need to remove them before delivering them to Exabeam. Luckily, this is where Cribl Stream comes in. With Stream, we can ingest directly from Splunk UF running on the domain controller and transform the events before routing them to Exabeam. Let’s get started with Parser Validating with Exabeam and Cribl Stream.
You can capture your logs in many ways:
Once you have pasted the log sample you would like to transform, make sure to give it a unique file name and select “Save as Sample”
Now that the sample is saved, we can start working on changing the format of the event. Windows classic view has a lot of new lines and spaces that we will need to remove. Exabeam will treat each new line as an event, so we need to make sure we remove the new lines.
We started off by using the SERIALIZE function. Serialize helps to remove all of the new lines and spaces and put the data into a JSON format. Now the only issue with this view is we have a lot of \n and \r. This will be an issue for Exabeam because we need to make sure we remove these characters, or the regex will not match the fields that need to be extracted.
The Mask function covers a variety of use cases, but in this example, masking is used to remove the special characters and replace them with space.
For the last step for the pipeline, we will use the EVAL function. We will use eval to create a new field called message and remove everything else under the (Remove Fields), but only keep the message field.
(Note: The message field is what populates the raw message in Data Lake)
Let’s get started with testing. Every Exabeam customer should have access to Auto Parser Generator if you do not, please reach out to your local Exabeam community and request access. The APG tool will validate if you match any parsers based on your event.
Select view parsing details to view the parser that matches this event type.
Validate if all the fields you need are populated. src_ip, dest_host, user, etc…
(Note: Do not change these field names IE: “source_IP”. Exabeam has its own field name format that matches the Advance analytics template)
Auto Parser Generator provides you the parsers at the bottom under “Configuration Files” If you need to make some changes, you can download the parser and change the regex changes as needed.
Let’s test a quick sample into Exabeam. The benefit of Cribl is you can quickly test and send a single event to Exabeam and validate how the vent will look inside of Data Lake or Advanced Analytics.
Go to the TEST tab and copy and paste the message field precisely like the image in the (Test Input)
[
{
"message": "The THX circuit is down, generate the optical panel so we can connect the JSON application!"
}
]"
click on run test
(Note: Before sending anything, make sure to change the asset name and the username to a dummy account. The reason behind changing these fields is because Advance Analytics has hundreds of models out of the box, and you do not want to ruin these models while testing out your data.)
You should see your event show in Exabeam Data Lake in a few seconds. You can run a search to look at your forwarder IP/Host
Example syntax: Forwarder:”IP/host”
You can see we are using the right parser If you look at (exa_parser_name) and that matches the parser in the Auto Parser generator.
By using Cribl Stream, organizations can send the security logs to Exabeam while maintaining the flow of data into a Splunk instance. Cribl Stream lets organizations make the decisions that benefit their organization the most with how they manage, route, and store observability data.
The fastest way to get started with Cribl Stream and Cribl Edge is to try the Free Cloud Sandboxes.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?