Forwarding to Cribl

Cribl streams can collect, forward, reduce, and shape Sysdig findings for an additional customization layer. Cribl lake can store data for analysis and reporting purposes.

Prerequisites

  • The events for forwarding originate from region-specific IPs.

    For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to forward events to Cribl.

  • Create an HTTP source on Cribl and copy the agent HTTPs URL.

Configure Standard Event Forwarding

To forward event data to Cribl:

  1. Log in to Sysdig Secure as Admin and navigate to Event Forwarding via either Integrations or Settings.

  2. Click +Add Integration and choose Webhook from the drop-down menu.

  3. Configure the mandatory parameters:

    Integration Name: Define an integration name.

    Endpoint: Enter a Cribl HTTP agent URL.

    The URL is similar to https://<yoursite>.cribl.cloud:10080/cribl/_bulk.

    Authentication: Configure authentication if you previosly set an authentication method in Cribl.

    No authentication required by default.

    Data to Send: Select the types of Sysdig data to forward.

    The available list depends on the Sysdig features and products you have enabled.

    • Select if you want to Allow insecure connections, such as invalid or self-signed certificate on the receiving side.

    • Toggle the Enabled switch as necessary. You will need to Test Integration with the button below before enabling the integration.

  4. Click Save.

View Events in Cribl

  1. Log in to your Cribl Streams account.

  2. Navigate to Worker Groups > Default > Routing.

  3. Select the HTTP source icon and click Capture.

    View how the data is ingested in real time. Here is an example of how policy events forwarded from Sysdig Secure are displayed on the Cribl UI: