Looking at Our Work
Last time we clicked the Destination Live View and saw traffic was flowing. We could do that again, but it wouldn’t show the reduction that we supposedly enacted. For that, we need to go to Monitoring.
Click Monitoring in the top nav
At first glance here, you might object, ‘Hey! There is MORE data leaving Stream than coming in!’ and you’re right. This is due to our raw2s3 archival Route from last time – every bit of data coming into Stream is being sent to our S3 archive. Plus IT added a Route sending Palo Alto traffic (the same traffic getting sent to archive) simultaneously to their Elastic instance.
This all means our Data In to Data Out is 1:2, and this view isn’t a good representation of our work. Instead let’s look at the IT Elastic Route specifically.
Click the Data drop down submenu (on the Monitoring page) and click Routes
Here we can see how every Route is performing. Notice that the UI shows Events per second or eps and Bytes per second or bps. Well in the real world it’s measured in kilobytes or megabytes per second.
For customers with large data volumes, this can measure up to gigabytes per second!
What we are interested in here is the Route we just modified, palo2ITElastic. You’ll have to do the math yourself, but you can compare the eps in and eps out as well as the Bytes in and Bytes out.
There is usually a larger reduction in bytes for Palo Alto traffic in our sandbox environments. However, in the real world, since the Pack we added includes some sampling of noisy data (meaning we only keep one out of every 10 events of a certain type) – there can be a large reduction in eps as well.
Reducing not only bytes per second but also events per second is extremely useful when discussing licensing from different Security Information and Event Management (SIEM) vendors. Some will bill by bytes of data stored in them (bps) while others bill based on sheer number of events (eps).
We did it! Congratulations on configuring Stream to help reduce noise and enrich the logs of a Palo Alto firewall by applying a Cribl curated pack from the Dispensary. Steve will be a happy Director when he comes in to work.
Next up: Install a custom pack from our second favorite team member: Ed!
Cribl.Cloud
There's a party and you're invited! We'll bring the Cribl, you bring the data. Sign up for a Cribl.Cloud account to try out what you just did with your own data. Up to 1TB / day of ingest at absolutely no cost! Neat! And no need to use valuable resources or infrastructure getting Cribl up and running. We’ll take care of that. And the updates. And feeding the goats. Just bring your own data (BYOD)!
AWS Quick Start
Got your own AWS infrastructure and want to try Cribl there? No worries, we also have an AWS Quick Start for Cribl Stream!