I am trying to capture login attempts (successful/unsuccessful) to Cribl. I can see that the cribl.log file contains logs for these (with a type of “auth”).
I have enabled CriblLogs as a source.
The log level for channel “auth” is set to Info.
When I do a capture on the CriblLogs source I don’t see these “auth” events, I do however see (some) other events - any suggestions as to what I might be doing wrong?
Thanks.
Solved
Capturing Cribl Login attempts
Best answer by Brendan Dalpe
It does not. You can point your collector URL, or agent output to localhost which will feed the data to your standalone instance.
Brendan,
Thank you for the update. We are running Cribl in stand-alone not distributed mode - does this change anything?
Geoff
It does not. You can point your collector URL, or agent output to localhost which will feed the data to your standalone instance.
Hi @GeoffB, (as of writing this post) Cribl Stream does not have a native way to forward logs from the Leader node. What youre seeing with the CriblLogs source is the logs from the individual workers.
If you install Cribl Edge (or your preferred agent of choice) you can forward the logs from the Leader to the Workers using a File Monitor source.
Another way would be to configure a REST API Collection job. Your workers can extract the logs from the leader node on a scheduled basis using the REST API.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.