Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›October 23, 2020
Have you ever spent a day picking through firewall logs, looking for the useful bits to help diagnose a reported issue? Firewall logs provide a rich data set, but in and of themselves, they’re a bit hard to read and understand, which makes them even harder to get insights from. Not to mention they are one of the chattiest sources of logs – in fact, one of our customers recently told us their firewall logs increased by more than 200% since the start of the pandemic because of remote employees all accessing resources within the corporate network! If only there was a way to take these obscure and verbose logs and make them immediately useful…
Take this example of a Palo Alto Network firewall Traffic log entry:
May 07 02:39:54 PA-VM 1,2020/05/07 02:39:54,44A1B3FC68F5304,TRAFFIC,end,2049,2020/05/07 02:39:54,192.168.10.53,52.88.186.130,192.168.10.53,52.88.186.130,splunk,,,ssl,vsys1,trusted,
untrusted,ethernet1/2,ethernet1/3,log-forwarding-default,2020/05/07 02:39:54,574240,1,51864,8000,24167,8000,0x500070,tcp,allow,5937,1520,4417,23,2020/05/07 02:39:54,13,any,0,730198,0x0,10.0.0.0-10.255.255.255,United States,0,13,10,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0
Clearly, just from looking at this log entry, you understand where each IP address is geographically, and whether it’s an internal or an external address, and whether the external address is on a list of bad actors. Wait, it’s not that clear? Exactly. I look at that line, my eyes glaze over, and I start thinking about what I’m going to make for dinner instead of the potential problem in front of me.
I used to run an infrastructure team responsible for, among other things, the global network of a Fortune 1000 company. As a pointy-haired boss, I was generally not all that interested in specific IP addresses, but I was very interested in our geographic traffic patterns. So we had GeoIP lookups set up in our Splunk environment, allowing me to build dashboards around that. But the same data was not available in our SIEM environment, nor in our applications logging environment (which was largely Elasticsearch-based).
Sure, I probably could have hacked all of those systems to do their own GeoIP lookups, but then I’ve got multiple places to maintain the GeoIP database. My security team was interested in checking the data against threat feeds, but they did that in a separate, bespoke, system. It would have been nice to be able to enrich the firewall data (or any other IP address–rich log source) with GeoIP data and any threat feed data *before* it got to the logging system. By doing that, I could ensure that no system’s data would look “different” just because the local “enrichment” worked a little bit differently than on the other systems.
When I was introduced to Cribl LogStream, a light went off in my head, because it allowed me to do EXACTLY that. Allow me to show you how…
LogStream has a general Lookup function that will be well covered in a future blog post, but here, we can also make use of a few other options:
1. The GeoIP function – this is a function that requires a GeoIP database (e.g., MaxMind’s GeoIP-Lite), and does IP lookups within that DB to generate GeoIP information. This function takes one or more source fields, and tries to look up the IP address in each source field. If it finds it, creates a destination JSON object, which contains all the GeoIP information from the DB that matches that IP address.
This will potentially create two new JSON objects, src_geoip
and dest_geoip
, which will contain the GeoIP data for each source field.
2. The C.Lookup() JavaScript function, used within a LogStream Eval function to check whether a specified source field contains an IP address that is present in a provided list. It returns true if the IP address in the field is in the list, or false if it isn’t.
This will create a new field called compromised
that will be true if the IP address is present in the compromised-ips.csv file, or false if not. In this case, I used the compromised-ips.txt file from the ProofPoint Emerging Threats feed, but this could be done with any text file.
3. Also within an Eval function, we can use the C.Net.cidrMatch()
JavaScript function to check if an IP address source field matches an internal address. The form of this will be different from org to org, but the example here checks if the source field is an RFC1918 (a/k/a non-routeable) address.
Since the value expression is too long to see in total on the screenshot, the expressions are:
(C.Net.cidrMatch("10.0.0.0/8", src_ip) || C.Net.cidrMatch("172.16.0.0/12", src_ip) || C.Net.cidrMatch("192.168.0.0/16", src_ip)) ? "Internal" : "External"
This will create two new fields, src_type
and dest_type
, which will be set to “Internal” if the IP address is an RFC1918 address, or “External” if not.
These are just a couple options for enhancing your firewall data, but the possibilities are endless. I suggest you take a look at Cribl LogStream by taking one of our sandbox courses. If you are not familiar with our sandboxes, they are a great way to learn Cribl LogStream. Each sandbox is a fully functional version of the LogStream product, with instructions to help you implement the specific use case for the sandbox scenario. There is a sandbox course for GeoIP and Threat Feed Lookups at https://sandbox.cribl.io/course/enrichment
Rick Salsa Sep 19, 2024
Josh Biggley Sep 17, 2024
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?