We have updated our Terms of Service, Code of Conduct, and Addendum.

Cribl Leader Logs to Splunk

Options
Sven Breier
Sven Breier Posts: 14

Hello everyone,

is there a “best practise” way to collect internal and metrics logs from the cribl leader?
For worker is an existing Source called “Cribl Internal”.
Thank you

Answers

  • Jon Rust
    Jon Rust Posts: 431 mod
    Options

    Best rec right now is to install Edge on the Leader host and collect the logs using that. You can also opt for any of the other agents.

  • Sven Breier
    Sven Breier Posts: 14
    Options

    How to collect them? I cant put the Leader in a fleet to soak up the data.

  • Jon Rust
    Jon Rust Posts: 431 mod
    Options

    I believe you could join the Leader as a managed node. You could also install Edge and run it as a singleton. Access it on port 9420 and configure a file monitor on /opt/cribl/log.

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Options

    Another option is to use the agent you are familiar with like the Splunk UF or a FileBeat. Logs then get forwarded to your worker group.

    Another way would be be to collect them using the REST API. A thread on Community Slack: Slack

  • Sven Breier
    Sven Breier Posts: 14
    Options

    Thank you guys, will try that.