Skip to main content
Solved

Cribl Edge Filtering Windows Event Codes And Monitoring Registry Changes Inquiry

  • April 29, 2026
  • 10 replies
  • 0 views
M
This message originated from Cribl Community Slack.
Click here to view the original link.

I'm starting to toy and mess around with Cribl Edge as a possible replacement for our Splunk UFs. I know it natively has the Windows Event Log collection. Is there a way to filter down specific EventCodes or even specific occurrences of EventCodes right within the Edge endpoint? Reading through this I'm not seeing it super clear as to how to do that: https://docs.cribl.io/edge/sources-windows-event-logs/. The other thing I'm exploring is if anyone has gone down the path of monitoring Windows Registry changes using Cribl Edge? I'm assuming we can do this utilizing the Exec source in some way, but didn't know if someone has already gone through this exercise and might have some insights. Just trying to find a scalable solution to what is provided by the Splunk UF WinRegMon capability.

Best answer by scott.bossi856

Anything dropped within edge doesn’t count towards license.

10 replies

M
The most straightforward way to filter out event codes is just with a simple drop function inside of a pipeline. You can add that pipeline function directly on the Edge node
M
Do things dropped there still hit the license? Like, does the entire Security/Application/etc. log consume license before specific EventCodes are dropped?
M
I think you have to use the Cribl_HTTP Destination to Cribl Stream to get around the licensing thing. Could be wrong. Someone can correct me
S
Anything dropped within edge doesn’t count towards license.
M
Sounds more straight forward
M
I figured, but just wanted to make sure. Would certainly be a lot more prohibitive for us to be forced to consume an entire log when we only want a subset on the scale of 15,000+ systems :grimacing:
M
Yeah - once you get your proper filter in place, the drop function drops the entire event
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 29, 2026
In the Pipeline, i'd recommend extracting the event id first, then use a lookup table to decide whether to drop or keep. AllowList style works best IMO
M
I guess the only concern I'd have is the WinRegistry portion of this. Has anyone seen a solution to this problem?
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 29, 2026
Curretn rec is to use something like Sysinternals tools to emit registry activity into Win Event Logs, where Edge can pick them up
Terms & ConditionsAccessibility statement