Cribl Configuration
The Encryption Keys
Before we start configuring the data elements of Cribl LogStream, we need to set up the keys with which to encrypt and decrypt the data moving through it.
Looking back to part one of this document, we noted that fields requiring encryption were grouped into either crypto_group_0 or crypto_group_1 in the JSON schema. Keeping with this naming convention, we’ll describe the two key pairs using these names, taking care to align that the group number matches the “Key Class” variable in the key settings.
crypto_group_0 is assigned a key class of “0”
crypto_group_1 is assigned a key class of “1”
Download the key bundle by clicking “Get Key Bundle” in the user interface.
The bundle will contain two files when uncompressed, cribl.secret
and keys.json
.
Securely copy both files to /opt/splunk/etc/apps/cribl/local/cribl/auth
on your search head (or deploy them accordingly with your search head deployer).
The Destination
In keeping with the philosophy of configuring things in reverse order, we’ll start with setting Splunk up as a destination in Cribl LogStream. Cribl speaks “Splunk-to-Splunk” (S2S) protocol natively so this is a relatively simple procedure.
It’s worth noting that while this lab is a single all-in-one Splunk Indexer/Search Head, Cribl also supports load balanced Splunk indexers and outputting to the Splunk HTTP Event Collector.
I have also configured Cribl to write events to a persistent queue in the unlikely event that it can’t communicate with the Splunk indexing tier.
The Pipeline Part 1
Initially we’ll set up a default pipeline to test end-to-end delivery of events. As this means that the Splunk index will be receiving unencrypted sensitive data, I’d recommend sending them to a test index that can later be deleted. Even a single event containing PII in a wrong index can create a compliance nightmare months down the line.
With our default pass-through pipeline set up, we can move on to configuring the Cribl Route.
The Route
Next we create the route that connects the pipeline to the desired output. I’ve added a filter to ensure that only events destined for index=’secured_index’ are valid for the pipeline in the name of optimisation.