We have updated our Terms of Service, Code of Conduct, and Addendum.

Capturing Cribl Login attempts

I am trying to capture login attempts (successful/unsuccessful) to Cribl. I can see that the cribl.log file contains logs for these (with a type of “auth”).
I have enabled CriblLogs as a source.
The log level for channel “auth” is set to Info.
When I do a capture on the CriblLogs source I don’t see these “auth” events, I do however see (some) other events - any suggestions as to what I might be doing wrong?
Thanks.

Best Answer

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Answer ✓

    It does not. You can point your collector URL, or agent output to localhost which will feed the data to your standalone instance.

Answers

  • GeoffB
    GeoffB Posts: 2

    Brendan,
    Thank you for the update. We are running Cribl in stand-alone not distributed mode - does this change anything?
    Geoff

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Answer ✓

    It does not. You can point your collector URL, or agent output to localhost which will feed the data to your standalone instance.

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    edited July 2023

    Hi @GeoffB, (as of writing this post) Cribl Stream does not have a native way to forward logs from the Leader node. What youre seeing with the CriblLogs source is the logs from the individual workers.

    If you install Cribl Edge (or your preferred agent of choice) you can forward the logs from the Leader to the Workers using a File Monitor source.

    Another way would be to configure a REST API Collection job. Your workers can extract the logs from the leader node on a scheduled basis using the REST API.