Capturing Cribl Login attempts

I am trying to capture login attempts (successful/unsuccessful) to Cribl. I can see that the cribl.log file contains logs for these (with a type of “auth”).
I have enabled CriblLogs as a source.
The log level for channel “auth” is set to Info.
When I do a capture on the CriblLogs source I don’t see these “auth” events, I do however see (some) other events - any suggestions as to what I might be doing wrong?
Thanks.

1 UpGoat

Hi @GeoffB, (as of writing this post) Cribl Stream does not have a native way to forward logs from the Leader node. What you’re seeing with the CriblLogs source is the logs from the individual workers.

If you install Cribl Edge (or your preferred agent of choice) you can forward the logs from the Leader to the Workers using a File Monitor source.

Another way would be to configure a REST API Collection job. Your workers can extract the logs from the leader node on a scheduled basis using the REST API.

2 UpGoats

Brendan,
Thank you for the update. We are running Cribl in stand-alone not distributed mode - does this change anything?
Geoff

1 UpGoat

It does not. You can point your collector URL, or agent output to localhost which will feed the data to your standalone instance.

1 UpGoat