Skip to main content

How to Send Claude CoWork Monitoring data to Cribl Stream

  • April 22, 2026
  • 1 reply
  • 60 views
Emily Ashley

This guide walks you through pointing Claude Cowork’s OpenTelemetry (OTel) export to a Cribl Stream OTel Source in Cribl Cloud so you can monitor Cowork activity alongside your other telemetry. For full Cowork monitoring details, see Monitor Claude Cowork activity with OpenTelemetry and the Claude Cowork monitoring setup docs.

Configure the Cribl OTel source

In Cribl Stream (Cribl Cloud):

  • Create or open an OpenTelemetry source.

  • Set:

    • OTLP Version: 1.3.1

    • Protocol: HTTP

    • Port: {PORT} (port 4318 is currently unavailable on Stream in Cribl Cloud; use a port in the 20000–20010 range)

    • Turn on Extract logs and Extract metrics when you want OTLP batches split into per-event records for use in Stream pipelines.

    • Enable TLS.

    • Set Authorization > Auth Token to {TOKEN} (this will become the bearer token Claude Cowork uses).

Note the port and token; you’ll plug these into Claude CoWork next. For more detail on source settings and ports, see the OpenTelemetry (OTel) Source documentation. Commit and deploy!
 

Configure Claude CoWork OTLP export

In Claude Cowork admin settings (Admin settings > Cowork):

  • OTLP endpoint

    Use your Cribl Cloud OTel endpoint format:
    https://{worker group name}.{workspace name}.{organizationId}.cribl.cloud:{PORT}

    • Use the same {PORT} you configured in your Cribl OTel source.

    • You do not need to add signal-specific paths like /v1/logs or /v1/metrics — Cowork will correct you if you try.

  • OTLP protocol

    • Set to http/protobuf.

  • OTLP headers

    Add the Cribl auth token as a bearer header: Authorization=Bearer {TOKEN}

    • Use the same {TOKEN} you set in the Cribl OTel source.

    • If you format this header incorrectly, Cowork will return an error to help you fix it.

Save your changes, then start a new Cowork session so the new configuration is picked up.


Note: Network egress allowlist

The OTel exporter runs inside the Cowork VM, and traffic to non-allowlisted domains is silently dropped. 

  • Go to Admin settings > Capabilities > Network egress.

  • Add your Cribl endpoint domain to the allowlist so Cowork traffic to Cribl isn’t dropped.

See Claude’s guidance on this: Claude Cowork monitoring setup docs


Verify events in Cribl

Once everything is saved:

  • Start a new Cowork session.
  • Perform a few Cowork actions (prompts, tools, etc.).
  • In Cribl Stream go to your OTel Source Live Capture and confirm you’re receiving OTLP data as expected.

You should now see Claude CoWork activity flowing into Cribl via OTel, ready for routing, shaping, and analysis alongside your other telemetry. If you have more questions about extraction/batching of OTLP in Cribl or routing, enhancing, or redacting generally, please don’t hesitate to ask us!

    1 reply

    Emily Ashley
    • Emily Ashley
    • Author
    • Employee
    • April 22, 2026

    Note: A couple of teams setting up this integration recently had to temporarily disable and then re-enable their auth token settings to get data flowing. I’m not entirely sure why this helped yet, but it’s a quick thing to try if you’ve confirmed the rest of the config looks correct and you’re still not seeing data.

    1. Remove the Auth Header / Token from both Claude Cowork and your Cribl OpenTelemetry Source, then:
      • In Claude Cowork: save and start a new session
      • In Cribl: commit and deploy your route/pipeline changes
    2. Run a Live Data capture on the Cribl OTel Source and generate some activity in Claude CoWork to see if events arrive without auth.
    3. If logs are now coming in, add the Auth Header / Token back to both Claude Cowork and the Cribl OTel Source, then again save / start a new Cowork session and commit / deploy.

    For at least three different teams this week, simply removing and re-adding the auth token in both systems was enough to get the integration working as expected.

    Terms & ConditionsAccessibility statement