Skip to main content

Packs: the Easy Button of Stream

TL;DR

Packs are easy ways to share Pipelines, Data Routes, and Knowledge objects between Stream instances. We at Cribl have curated some Packs for the most common use cases we come across. These curated Packs are published to GitHub on what we call our Dispensary where they can be directly copied into Stream using Add from Dispensary.

It is also possible for users to share their own Packs across Stream instances if, say, they built a Pipeline in a test environment and wanted to move it into production.

As it turns out, there are some common use cases for Stream; for example, reducing firewall logs volume, pruning Windows event logs, cleaning syslog data, etc. Because there are common use cases, we think it would be nice if you didn’t have to spend hours reinventing the wheel, so to speak. Hence, we preconfigured Packs.

Packs are Data Routes, Pipelines, and Knowledge objects that are bundled (packed) together to make them easy to share / use across multiple Stream instances. Some packs are curated by us at Cribl and published to a public GitHub repository called, The Dispensary.

Say, for example, you needed to prune and streamline your Palo Alto logs but didn’t know where to start. Well, you could use the Add from Dispensary feature and grab the Palo Alto Networks Pack from the Dispensary. Actually, we’ve done that (it’s part of a later How-To). Let’s go check it out!

important
  1. Select the Processing submenu and click Packs
  2. Click cribl-palo-pack in the ID column

If you would like to explore here, go ahead. There are eight unique Data Routes included in this Pack, each with their own Pipelines. Check out one or two Pipelines to see the awesome work we have done for you! This Pack is covered in more depth in a later course. But in the meantime, there is a README under the Settings sub-tab.

note

When navigating through a Pack, be aware of the sub-nav bar that exists below the top nav. In order to see the Pipelines inside a Pack you need to click the Pipelines page in the sub-nav not in the top nav.

One other thing to point out about Packs is that they don’t need to come from Cribl! A great example of this is creating some Pipelines and Routes in a test environment and then moving them to production by wrapping them up in a Pack. We cover this scenario in a later course as well, having a security expert create a Pack using their expertise and having you deploy it in production. Easy peasy lemon squeezy.

Let's move on to our last stop – Monitoring