Collect Cribl Stream logs

Supported in:

This document explains how to ingest Cribl Stream logs to Google Security Operations using the built-in Google SecOps destination. Cribl Stream produces operational data in the form of logs, metrics, and events. This integration lets you send these logs to Google SecOps for analysis and monitoring.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance.
  • Access to Cribl Stream management console or cluster.
  • Google Cloud service account credentials.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.

Configure Google SecOps destination in Cribl Stream

  1. Sign in to the Cribl Stream Management Console.
  2. Go to Data > Destinations.
  3. Click Add Destination.
  4. Select Google Cloud > Security Operations (SecOps).
  5. Provide the following configuration details:
    • Output ID: Enter a unique name (for example, google-secops-destination).
    • Description: Enter a description for this destination.
    • Send events as: Select Unstructured (recommended for standard log parsing).
    • API version: Select V2.
    • Default log type: Select CRIBL_STREAM from the list.
    • Optional: Namespace: Enter a namespace to identify logs from this source (for example, cribl-logs).
  6. In the Authentication section:
    • Authentication method: Service account (JSON).
    • Service account key: Upload or paste the JSON credentials file content.
  7. In the Processing section:
    • Log text field: Optionally enter _raw. If not set, Cribl will send JSON representation of the entire event; use _raw only if you actually store raw text in this field.
  8. Click Save.

Create a route to send Cribl Stream logs

  1. Go to Data > Routes.
  2. Click Add Route.
  3. Provide the following configuration details:
    • Route name: Enter a meaningful name (for example, cribl-logs-to-secops).
    • Filter: Enter source.match(/cribl.*/) to capture Cribl internal logs (operational logs from Cribl itself).
    • Output: Select the Google SecOps destination created in the previous section.
    • Pipeline: Select passthru or create a custom pipeline for log enrichment.
  4. Click Save.
  5. Commit & Deploy the configuration to apply changes.

Configure log filtering and enrichment (Optional)

If you need to filter or enrich Cribl Stream logs before sending to Google SecOps:

  1. Go to Data > Pipelines in Cribl Stream.
  2. Click Add Pipeline.
  3. Provide the following configuration details:
    • Pipeline ID: Enter a meaningful name (for example, cribl-log-processing).
    • Description: Enter a description for the pipeline.
  4. Add functions as needed:
    • Eval: Add metadata fields or modify existing fields.
    • Regex Extract: Extract specific information from log messages.
    • Drop: Remove unnecessary events or fields.
    • Mask: Redact sensitive information.
  5. Click Save.
  6. Update your route to use this pipeline instead of passthru.

Need more help? Get answers from Community members and Google SecOps professionals.