Skip to main content

šŸŽ¶ Livin' on the Edge šŸŽ¶

Now that we've installed Cribl Edge, let's see how it can help us in ingesting our syslogs today. Edge not only lets us explore our EdgeĀ Nodes on a whim, but also routes our observability data (in this case, syslog) without requiring another parser.

Monitor our syslog file using Cribl Edge

  1. Navigate back to the apache syslog file's modal:

    1. Click into Manage > Explore > Files > Manual.
    2. In the Files list, click the /var/log/apache/yyy-mm-dd.log entry.

  2. Once in the File modal, click MonitorĀ thisĀ file at the top right.

  3. In the Input ID field, enter apache.

  4. Click the Fields left tab, then click AddĀ Field to add the following field names and values to the table:

    NameValue
    sourcetype"edge-apache-file"
    index"syslog"

  5. Click Save.

  6. In the resulting confirmation dialog, click Yes to navigate to the Collect page.

And just like that, we configured Cribl Edge to monitor a syslog file. Then, we navigated to one of Edgeā€™s routing pages, Collect. Here on the Collect submenu tab, we can configure Edge to send the file contents nearly anywhere.

That's cool and all, but this is only one file. If you remember, Syslog-NG is configured to change files every day. And we have more than one directory to monitor (/var/log/pan && /var/log/apache)!

Enter the in_file_varlog source
  1. On Collect page's filter, remove the SOURCE ID / apache filter to see all the sources.
  2. At the top of our Sources list, click the File Monitor tile to expand the stack.
  3. Hover over the in_file_varlog tile and click Configure.

Cribl Edge has a neat default File Monitor configured to watch for log files in /var/log. Convenient! Let's use that, since it will see all of our Syslog-NG files being written. We just need to make sure they have the right index and sourcetype configured.

Add some fields

  1. With the in_file_varlog drawer open, click the left Fields tab.

  2. Click Add Field and fill out the following Name / Value pairs:

    NameValue
    sourcetype"edge-".concat(source.split('/')[3])
    index"syslog"

  3. Click Save.

Neat little side note: The Value text field accepts JavaScript expressions (indicated by the blue line at the field's left). This allows us to variably set the sourcetype for our data. We'll see the fruits of this after we plumb up the Splunk connection.

Now that we've configured the actual Source we want to use, letā€™s send our data to some low-cost object storage. This way, in the event we need access to an unaltered copy of our syslog data, we'll have it.

S3 and Meā€‹

In a scene straight out of a cooking show, we have already configured an S3 instance in order to speed this sandbox along. Feel free to spend some time looking at the configuration if youā€™d like.

You down with S3?
  1. Click and hold the + on the right-hand side of the in_file_varlog tile (in the expanded File Monitor group).
  2. While holding down the button on your mouse (or other pointing device), drag across to the S3 tile on the right-hand side.
  3. Once your connection line is over the S3 tile, release the button to complete the connection.
  4. In the resulting pop-up, leave the default Passthru selection and click Save.

Oh and the SIEM, tooā€‹

While weā€™re here, letā€™s also send a copy of our syslog data to the SIEM. That way, we are mirroring our current setup, in case we want to replace the agent that ships our syslog events in the future. Or, say, if we want to change up SIEM vendors without needing to change our agentsā€¦

Configure our Splunk as a destination
  1. At Cribl Edge's upper right, click Add Destination.
  2. Find Splunk Single Instance, either by typing in the filter, or by expanding the MoreĀ Destinations section.
  3. Hover over the Splunk Single Instance tile and click AddĀ New.
  4. Enter splunk as the Output ID and as the Address.
  5. Click Save.
  6. Connect the in_file_varlog FileĀ Monitor Source to the new SplunkĀ SingleĀ Instance Destination (again by clicking and dragging).
  7. In the resulting pop-up, leave the default Passthru selection and click Save.
  8. At the top right of Edge's UI, click Commit.
  9. In the resulting Git Changes modal, enter a commit message (example below) and click Commit & Deploy. 
    Added syslog-ng File Monitors and routed to S3 AND Splunk
Are you an overachiever?

You can repeat the steps above for the apache Source as well, if you'd like. Then you can check out what it would look like in Splunk at the end. Or not. I'm not your boss.

If you do this, you gotta figure out what to search for by yourself. šŸ˜

Perf! We have now duplicated the current environment, as well as added a low-cost archive to the mix.

Check your work

It probably seems silly that we used splunk as the address for our Splunk Single Instance destination, but thatā€™s how we have our k8s environment configured for sandboxes. Donā€™t take our word for it! Feel free to go back to the Splunk UI (the Splunk top tab) and search for our edge-apache or edge-pan sourcetype.

index="syslog" sourcetype="edge-apache"
index="syslog" sourcetype="edge-pan"

We could be done there, but letā€™s do what we actually came here to do: add CriblĀ Stream to the mix.