v.4.4.4 Release
2024-01-17 - Cribl Stream 4.4.4 | Maintenance Release | Edge 4.4.4 release notes are here.
New Features
Rules are made to be broken, so this maintenance release contains the following new features:
FIPS Mode (Beta)
Cribl Stream can now run in FIPS (Federal Information Processing Standards) mode. When running in FIPS mode, Cribl Stream will use only FIPS compliant cryptography algorithms, and will require FIPS compliant passwords for user login. See the FIPS Mode topic for details. In Cribl Stream version 4.4.4, FIPS mode is a beta feature available in Customer Managed deployments.
Load Balanced Webhook Destination
We’ve added support for load balancing in the Webhook Destination. You can enable load balancing and specify multiple webhook URLs and their load weights, which sets relative traffic-handling capabilities for each connection. You can also choose whether to exclude all IPs of the current host from the list of any resolved hostnames.
Exponential Backoff Retry for HTTP Destinations
In some HTTP-based Destinations, you can now configure retry behavior for HTTP requests to use an exponential backoff algorithm, with settings for initial retry delay, retry delay multiplier, and maximum retry delay.
This works both for requests that time out (for example, because of Destination latency), or fail with a non-200 HTTP response code. You can configure retry behavior for the Google Chronicle, Azure Data Explorer, Dataset, and Elasticsearch Destinations.
More Features
We added an auto-refresh toggle on the Manage > Workers page for lists with fewer than 100 Workers. When disabled, a timestamp indicates the last time the Workers list was updated. For more details, see Workers Tab docs. CRIBL-15651
Our Google Chronicle Destination now supports more regional endpoints: Dammam, Europe Multi-Region, Frankfurt, London, Singapore, Sydney, Tel Aviv, United States Multi-Region, and Zurich. CRIBL-21391
In Cribl.Cloud, you can now configure a Session idle time limit for the GUI. This helps keep pages up longer – for data monitoring, for example. To configure this option, go to Settings > Global Settings > General Settings. CRIBL-20753
Corrections
This release includes the following fixes:
Sources
The OpenTelemetry Source now correctly listens on the configured Address field instead of always listening on the default address regardless of configuration. CRIBL-21690
OpenTelemetry now accurately reports when an HTTP server relinquishes listening on a port. Previously, Worker processes were failing to bind to a port when you swapped between two Sources that used the same port. CRIBL-21382
Splunk TCP Source can now properly send captures when the Max S2S version is set to
v4
. CRIBL-21378Cribl Stream now ensures that data from Windows clients is actually compressed before attempting decompression. This prevents Stream from displaying the error
Tried to interpret data bytes before a scheme was set
that previously occurred in the Windows Event Forwarder when uncompressed data was incorrectly flagged as compressed. CRIBL-21957The Windows Event Forwarder Source now correctly closes sockets upon receiving malformed requests from Windows clients. This avoids a situation where data flow stopped because the WEF Source had used up its maximum allowable active connections. CRIBL-21965
Collectors
When creating an S3, Google Cloud Storage, or Azure Blob Collector, a warning will appear when both the earliest and latest fields are left blank. This helps prevent the Collector from excessively collecting data. CRIBL-17215
The REST Collector now adds the
User-Agent
header to HTTP requests by default, and should now be able to successfully access the Proofpoint API. CRIBL-21571When previewing REST Collector data, the source field is no longer incorrectly set on results when the Discover type is not an HTTP request. CRIBL-21833
The REST Collector now supports JWT and text/plain authentication responses via the Login and Login (credentials secret) authentication method. CRIBL-21699
When configuring the Database Collector, you can now expand the SQL Query window to show the whole query, even if it’s quite long. CRIBL-21707
The Database Collector now allows you to toggle strict query validation on and off. Proceed with caution, because this means that you can execute potentially destructive queries. CRIBL-21734
Destinations
The Google Chronicle Destination now supports the Chronicle Ingestion API’s
labels
field. This enables you to see which data was sent through Cribl. CRIBL-20950The Google Chronicle Destination now holds subsequent attempts to receive data for 30 seconds by default. This helps if you’re running into quota limits and errors when sending data to Google Chronicle. CRIBL-21238
The DataDog Destination now correctly displays an error when an invalid token is added during configuration. CRIBL-21249
For Worker Nodes in Cribl.Cloud with Azure Data Explorer (ADX) Destinations, the Persistent Queue Settings now no longer incorrectly exposes on-prem PQ settings. CRIBL-21335
The Elasticsearch Destination no longer uses an authentication token when Authentication enabled is set to
No
. CRIBL-21129
Functions
- The use of a wildcard in the Remove Fields config of an Eval after the Redis function no longer causes data loss in the deployed Pipeline. CRIBL-21355
Packs
- Events are no longer dropped from Routes when a Pack contains the Suppress function and is used in a non-final Route. CRIBL-21577
Roles
Monitoring, Mappings, and Recent Actions sections are visible again on the Home page for all users with the reader_all Role. CRIBL-20994
Users with the admin Role can once again access Mappings. CRIBL-21269
Other Functional Fixes
Live data capture is now available in Gitops read-only mode. CRIBL-21782
Several
C.Mask
functions (md5
,sha1
,sha256
, andsha512
) can now process input given as a hex string representing bytes, instead of always interpreting input as a UTF-8 string. To make use of this feature, set the new encoding optional parameter). TheC.Encode.base64
function also accepts this optional parameter. CRIBL-21240Logging in to Cribl using LDAP (like AzureAD) configured with uid in the Username field no longer displays the error
Failed to read current user
. CRIBL-21716Clicking Export from the Manage as JSON view for Sources, Destinations, and Collectors will redact sensitive information from the config before saving. CRIBL-15632
Persistent Queues (PQ) now drain when it is appropriate to do so. CRIBL-21298
Cribl Stream was displaying an error when a user with the stream_editor role created a new Project. CRIBL-20167