search

Cribl Edge -> Splunk

In this blog, we will demonstrate how to send Cribl Edge logs to Splunk using the HTTP Event Collector (HEC). HEC is a Splunk feature that allows you to send data and application events to your Splunk deployment over HTTP or HTTPS protocols using token-based authentication.

To start, ensure you have a source ingesting logs of your choice. Refer to this blog to review how to set up log sources in Cribl. In this example, we are ingesting Windows Event logs into a Cribl Edge instance.

Windows Event logs are currently being sent to "DevNull", a testing destination

Navigate to your Splunk instance, go to "Settings" > "Indexes," and click "New index."

Enter the index name as "Cribl," or choose a different name for your index.

Next, we need to configure HEC in the Splunk console. Go to "Settings" > "Data inputs" and click on "HTTP Event Collector."

Select "New token" in the upper right-hand corner.

The name can be whatever you choose for the HEC connection; the other options can be left as default.

Next, select the "Cribl" index we created earlier, and define a new source type or use an existing one.

Select "Review," then "Submit" to view your token. Copy this so we can use it in our Cribl instance.

Navigate back to your Cribl Edge instance. Under "Destinations," select "HEC."

Click "Add destination."

Fill out the following details:

  • OutputID: The name of your destination

  • HEC endpoint: The IP address of your Splunk instance

  • Authentication method: We will use "Manual" in this example

  • HEC auth token: The token you copied in earlier steps

Complete the form and click "Save."

Go to the "Data Routes" section within Cribl, and create a new route with any name you desire. Fill out the following:

  • Route name: The name you choose

  • Filter: The log sources you want to allow through the route

  • Pipeline: Select which pipeline you want to send the logs through; there is a default option for Windows Event logs

  • Output: Select the name of the HEC destination you created in Cribl

We can go back to Cribl Destinations to run a quick test signal.

Navigate to your Splunk search bar and type index=cribl to see the ingested logs.

PreviousCribl Edge -> Cribl StreamNextCribl -> Amazon S3 bucket

Last updated