Skip to main content
Question

Cribl Leader Logs to Splunk

  • March 11, 2025
  • 5 replies
  • 115 views
S

Hello everyone,

is there a “best practise” way to collect internal and metrics logs from the cribl leader?
For worker is an existing Source called “Cribl Internal”.
Thank you

    5 replies

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • March 11, 2025

    Best rec right now is to install Edge on the Leader host and collect the logs using that. You can also opt for any of the other agents.

    S
    • Sven Breier
    • Author
    • Participating Frequently
    • March 11, 2025

    How to collect them? I cant put the Leader in a fleet to soak up the data.

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • March 11, 2025

    I believe you could join the Leader as a managed node. You could also install Edge and run it as a singleton. Access it on port 9420 and configure a file monitor on /opt/cribl/log.

    B

    Another option is to use the agent you are familiar with like the Splunk UF or a FileBeat. Logs then get forwarded to your worker group.

    Another way would be be to collect them using the REST API. A thread on Community Slack: Slack

    S
    • Sven Breier
    • Author
    • Participating Frequently
    • March 11, 2025

    Thank you guys, will try that.

    Terms & ConditionsAccessibility statement