Send Cribl logs to Axiom
Cribl is a data processing framework often used with machine data. It allows you to parse, reduce, transform, and route data to and from various systems in your infrastructure.
- You can send logs from Cribl LogStream to Axiom using HTTP or Syslog destination.
Set up log forwarding from Cribl to Axiom using the HTTP destination
Below are the steps to set up and send logs from Cribl to Axiom using the HTTP destination:
- Create a new HTTP Destination in Cribl LogStream:
Open Cribl's UI and navigate to Destinations > HTTP. Click on +
Add New to create a new destination.
- Configure the Destination:
-
Name: Choose a name for the destination.
-
In the Axiom UI, click on the datasets view and create your dataset by entering its name and description.
-
Endpoint URL: Input the URL of your Axiom log ingest endpoint. This should be something like
https://api.axiom.co/v1/datasets/$DATASET_NAME/ingest
. Replace$DATASET_NAME
with the name of your dataset. -
Method: Choose
POST
. -
Event Breaker: Set this to One Event Per Request or CRLF (Carriage Return Line Feed), depending on how you want to separate events.
- Headers:
You may need to add some headers. Here is a common example:
-
Content-Type: Set this to
application/json
. -
Authorization: This should be
Bearer $API_Token
, replacing$API_Token
with the actual API token from organization settings.
- Body:
In the Body Template, input {{_raw}}
. This will forward the raw log event to Axiom.
- Save and Enable the Destination:
After you've finished configuring the destination, save your changes and make sure the destination is enabled.
Set up log forwarding from Cribl to Axiom using the Syslog destination
Before you get started, create your Syslog endpoint by following this guide
- Create a new Syslog Destination in Cribl LogStream:
Open Cribl's UI and navigate to Destinations > Syslog. Click on +
Add New to create a new destination.
- Configure the Destination:
-
Name: Choose a name and output ID for the destination.
-
Protocol: Choose the protocol for the syslog messages. Select the TCP protocol.
-
Destination Address: Input the address of the Axiom endpoint to which you want to send logs. This address is generated from your Syslog endpoint in Axiom and follows this format:
tcp+tls://qsfgsfhjsfkbx9.syslog.axiom.co:6514
. -
Destination Port: Enter the port number on which the Axiom endpoint is listening for syslog messages which is
6514
-
Format: Choose the syslog message format.
RFC3164
is a common format and is generally recommended. -
Facility: Choose the facility code to use in the syslog messages. The facility code represents the type of process that is generating the syslog messages.
-
Severity: Choose the severity level to use in the syslog messages. The severity level represents the importance of the syslog messages.
- Configure the Message:
-
Timestamp Format: Choose the timestamp format to use in the syslog messages.
-
Application Name Field: Enter the name of the field to use as the application name in the syslog messages.
-
Message Field: Enter the name of the field to use as the message in the syslog messages. Typically, this would be
_raw
. -
Throttling: Enter the throttling value. Throttling is a mechanism to control the data flow rate from the source (Cribl) to the destination (in this case, an Axiom Syslog Endpoint).
- Save and Enable the Destination:
After you've finished configuring the destination, save your changes and make sure the destination is enabled.