Securing Cribl Stream (TLS/SSL, Certs, Keys)

You can secure Cribl Stream access and traffic using various combinations of SSL (Secure Sockets Layer), TLS (Transport Layer Security), custom HTTP headers, and internal or external KMS (Key Management Service) options. An additional option for Cribl Stream is to deploy in FIPS mode.

In a single-instance deployment (Stream, Edge), wherever this page refers to a Worker Group, just follow the Cribl Stream top nav’s Manage link.

Secure Access to Worker Nodes’ UI​

A best practice in enterprise distributed deployments, this prevents direct browser access to Worker Nodes’ UI.

Cribl recommends that you first enable the Leader’s UI access to Worker Nodes (Stream, Edge). This way, admins will still be able to tunnel through from the Leader to any Worker Node’s UI. This is also a prerequisite for Connecting Workers to the Leader Securely.

1. Select a Worker Group.
2. Open Group Settings (top right).
3. Under General Settings > API Server Settings, click Advanced.
4. Toggle Local UI Access to No.
5. Click Save.

SSL Certificate Configuration​

You can secure Cribl Stream’s API and UI access by configuring SSL. Do this on the Leader, to secure Worker Nodes’ inbound communications.

You can use your own certs and private keys, or you can generate a pair with OpenSSL, as shown here:

openssl req -nodes -new -x509 -newkey rsa:2048 -keyout myKey.pem -out myCert.pem -days 420

This example command will generate both a self-signed cert myCert.pem (certified for 420 days), and an unencrypted, 2048-bit RSA private key myKey.pem. (Change the filename arguments to modify these placeholder names.)

As indicated by these examples, Cribl Stream expects certificates and keys to be formatted in privacy-enhanced mail (.pem) format.

In the Cribl Stream UI, you can configure the cert via Settings > Global Settings > Security > Certificates. You can configure the key via:

• Settings > Global Settings > Security > Encryption Keys single-instance deployments (Edge, Stream), or
• Manage > Groups > <group‑name> > Group Settings > Security > Encryption Keys distributed deployments (Edge,Stream).

Alternatively, you can edit the local/cribl.yml file’s api section to directly set the privKeyPath and certPath attributes. For example:

api:
  host: 0.0.0.0
  port: 9000
  disabled : false
  ssl:
    disabled: false
    privKeyPath: /path/to/myKey.pem
    certPath: /path/to/myCert.pem
...

See Securing Communications for details about using this certificate and key to secure communications on, and among, your Cribl Stream Leader and Worker Nodes.

Custom HTTP Headers​

You can encode custom, security-related HTTP headers, as needed. As shown in the examples below, you specify these at Settings > Global Settings > General Settings > API Server Settings > Advanced > HTTP Headers. Click Add Header to display extra rows for new key-value pairs.

TLS Settings and Traffic Types​

This table shows TLS client/server pairs, and encryption defaults, per traffic type.

* Common name
† OpenID Connect

Default TLS Settings (Cyphers, Etc.)​

You can configure advanced, system-wide TLS settings – minimum and maximum TLS versions, default cypher lists, and ECDH curve names. Select Settings > Global Settings > System > General Settings > Default TLS Settings.

Here, in Cribl Stream’s Default cypher list field, you can specify between one and all of the following supported cyphers:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS in Cribl.Cloud​

TLS encryption is pre-enabled on several Sources in Cribl.Cloud, indicated on the Cribl.Cloud portal’s Data Sources tab. All TLS is terminated by individual Nodes.

To enable TLS settings for additional Sources, use these configuration settings:

• Private key path: /opt/criblcerts/criblcloud.key
• CA certificate path: /opt/criblcerts/criblcloud.crt
• Minimum TLS version: TLSv1.2

For steps to enable TLS mutual authentication in Cribl.Cloud, see Securing Communications.

Encryption Keys​

You can create and manage keys that Cribl Stream will use for real-time encryption of fields and patterns within events. For details on applying the keys that you define here, see Encryption.

In Cribl Stream 4.1 and later, for enhanced security, Cribl encrypts TLS certificate private keys in configuration files when you add or modify them. Before upgrading to v.4.1.0 (or later), back up your existing unencrypted key files – see Safeguarding Unencrypted Private Keys for Rollback. If you need to roll back to a pre-4.1 version, see Restoring Unencrypted Private Keys below.

Accessing Keys​

• In a single-instance deployment, select Settings > Security > Encryption Keys.
• In a distributed deployment with one Worker Group, select Settings > Security > Encryption Keys.
• In a distributed deployment with multiple Worker Groups, keys are managed per Worker Group. Select Manage > Groups > <group-name> Group Settings > Security > Encryption Keys.

On the resulting Manage Encryption Keys page, you can configure existing keys, and/or use the following options to add new keys.

Get Key Bundle​

To import existing keys, click Get Key Bundle. You’ll be prompted to supply a login and password to proceed.

Add New Key​

To define a new key, click New Key. The resulting New Key modal provides the following controls:

Key ID: Cribl Stream will automatically generate this unique identifier.

Description: Optionally, enter a description summarizing this key’s purpose.

Encryption algorithm: Currently, Cribl Stream supports the aes-256-cbc (default) and aes-256-gcm algorithms.

KMS for this key: Currently, the only option supported here is local (Cribl Stream’s internal Key Management Service).

Key class: Classes are arbitrary collections of keys that you can map to different levels of access control. For details, see Encryption. This value defaults to 0; you can assign more classes, as needed.

Expiration time: Optionally, assign the key an expiration date. Directly enter the date or select it from the date picker.

Use initialization vector: If enabled, Cribl Stream will seed encryption with a nonce to make the key more random and unique. Optional (and defaults to disabled) with the aes‑256‑cbc algorithm; automatically enabled (and cannot be disabled) with the aes‑256‑gcm algorithm.

Initialization vector size: Length of the initialization vector (IV), in bytes. This option is displayed only with the aes‑256‑gcm algorithm. Defaults to 12 bytes to optimize interoperability, but you can use the drop-down to set this anywhere between 12–16 bytes.

Restoring Unencrypted Private Keys​

If you need to roll back from Cribl Stream 4.1 or later to an earlier version, follow this procedure to restore the unencrypted private key files that you earlier backed up.

1. Stop Cribl Stream 4.1 (or later) on hosts – the Leader and all Worker Nodes.
2. Untar the older Cribl Stream version (e.g., 4.0.4) onto the Leader and all Worker Nodes.
3. Manually edit each Cribl Stream config file that contains an encrypted private key. Replace each key with its prior unencrypted version.
4. Start up Cribl Stream, commit and deploy, and resume normal operations.

Secrets​

With Cribl Stream’s secrets store, you can centrally manage secrets that Cribl Stream instances use to authenticate on integrated services. Use this UI section to create and update authorization tokens, username/password combinations, and API‑key/secret‑key combinations for reuse across the application.

Accessing Secrets​

• In a single-instance deployment, select Settings > Security > Secrets.
• In a distributed deployment with one Worker Group, select Configure > Settings > Security > Secrets.
• In a distributed deployment with multiple Worker Groups, secrets are managed on each Worker Group. Select Groups > <group-name> Settings > Security > Secrets.

On the resulting Manage Secrets page, you can configure existing secrets, and/or click New Secret to define new secrets.

Add New Secret​

The New Secret modal provides the following controls:

Secret name: Enter an arbitrary, unique name for this secret.

Secret type: See below for this second field’s options, some of which expose additional controls.

Description: Optionally, enter a description summarizing this secret’s purpose.

Tags: Optionally, enter one or multiple tags related to this secret.

Secret Type ​

This drop-down offers the following types:

Text: This default type exposes a Value field where you directly enter the secret.

API key and secret key: Exposes API key and Secret key fields, used to retrieve the secret from a secure endpoint. This is the only secret type supported on Cribl Stream’s AWS-based Sources, Collectors, and Destinations, and on our Google Cloud Storage Destination.

Username with password: Exposes Username and Password fields, which you fill to retrieve the secret using Basic Authentication.

CA Certificates and Environment Variables​

Where Cribl Stream Sources and Destinations support TLS, each Source’s or Destination’s configuration provides a CA Certificate Path field where you can point to corresponding Certificate Authority (CA) .pem file(s). However, you can also use environment variables to manage CAs globally. Here are some common scenarios:

1. How do I add a set of trusted root CAs to the list of trusted CAs that Cribl Stream trusts?
   Set this environment variable in each Worker Node’s environment (e.g., in its systemd unit file): NODE_EXTRA_CA_CERTS=/path/to/file_with_certs.pem. For details, see the nodejs docs.

2. How do I make Cribl Stream trust all TLS certificates presented by any server it connects to?
   Set this environment variable: NODE_TLS_REJECT_UNAUTHORIZED=0 – for details, see the nodejs docs.