Why is Event Breaking Important?

What Happens when Events Are Incorrectly Broken?

To understand the importance of getting Event Breakers right, let's explore some possibilities when events are incorrectly broken...

The Potential for Loss of Important Information

Incorrectly breaking events could lead to a loss of critical application or system information. Improperly broken events could also increase security risks on your system, because sensitive data could be logged accidentally. A malicious insider could use this data to compromise a system.

Difficulty in Troubleshooting

If incorrect timestamps are applied during event breaking, it can be more challenging to troubleshoot issues in monitored systems. This happens because events will not be indexed at the time they are expected. This can lead to longer downtime for applications and systems, resulting in possible financial damages.

Compliance Violations

By incorrectly breaking events, you could expose your organization to compliance violations, because the events stored in archival or SIEM platforms will not correctly resemble the original events as they were generated on the source systems. Compliance requirements typically dictate that you maintain accurate and complete logs. Violations could lead to legal and/or financial penalties for the organization.

Event Breaking Best Practices

Now that we've talked about the bad, let's take a look at some good things you can do to make sure your event breaking works correctly...

Define Clear Event Boundaries

By identifying the pattern in logs that represents an event boundary, you can define the structure of the events – making it easier to correctly separate a stream of data into discrete events.

Test Your Breakers

Using the Cribl UI, you can verify that your Event Breakers work correctly before applying them to your data sources. This eliminates unnecessary work.

Document, Document, Document

Cribl supports adding arbitrary Descriptions to Event Breakers. Other admins will benefit from having comments and explanations inside the configuration, and won't have to scratch their heads trying to figure out what you were trying to do.

Post-Breaking Considerations

Normalize your Data

With any set of events, it is important that you normalize the events into a format that can be easily understood and processed by downstream systems. This includes reshaping events to eliminate hard-to-extract fields, enriching events with context, or simply removing data that isn't useful.

If you haven't done so already, we encourage you to take the Data Shaping sandbox.

Monitor and Iterate

Finally, continuously monitor your logs, and update your event breaking and timestamp recognition as needed. Your applications might get updated in ways that change the logging structure. Good thing Cribl makes it easy to update your Event Breakers!

Conclusion

Now that we've discussed the philosophy of event breaking, let's talk about how regular expressions are used in some Cribl Event Breakers...

What Happens when Events Are Incorrectly Broken?​

The Potential for Loss of Important Information​

Difficulty in Troubleshooting​

Compliance Violations​

Event Breaking Best Practices​

Define Clear Event Boundaries​

Test Your Breakers​

Document, Document, Document​

Post-Breaking Considerations​

Normalize your Data​

Monitor and Iterate​

Conclusion​