Send Cribl logs to Axiom

Cribl is a data processing framework often used with machine data. It allows you to parse, reduce, transform, and route data to and from various systems in your infrastructure.

  • You can send logs from Cribl LogStream to Axiom using HTTP or Syslog destination.

Set up log forwarding from Cribl to Axiom using the HTTP destination

Below are the steps to set up and send logs from Cribl to Axiom using the HTTP destination:

  1. Create a new HTTP Destination in Cribl LogStream:

Open Cribl's UI and navigate to Destinations > HTTP. Click on + Add New to create a new destination.

Cribl logstream

  1. Configure the Destination:

  • Name: Choose a name for the destination.

  • In the Axiom UI, click on the datasets view and create your dataset by entering its name and description.

Auth overview

  • Endpoint URL: Input the URL of your Axiom log ingest endpoint. This should be something like https://api.axiom.co/v1/datasets/$DATASET_NAME/ingest. Replace $DATASET_NAME with the name of your dataset.

  • Method: Choose POST.

  • Event Breaker: Set this to One Event Per Request or CRLF (Carriage Return Line Feed), depending on how you want to separate events.

Cribl logstream Destination

  1. Headers:

You may need to add some headers. Here is a common example:

  • Content-Type: Set this to application/json.

  • Authorization: This should be Bearer $API_Token, replacing $API_Token with the actual API token from organization settings.

Cribl logstream Destination

  1. Body:

In the Body Template, input {{_raw}}. This will forward the raw log event to Axiom.

  1. Save and Enable the Destination:

After you've finished configuring the destination, save your changes and make sure the destination is enabled.

Set up log forwarding from Cribl to Axiom using the Syslog destination

Before you get started, create your Syslog endpoint by following this guide

  1. Create a new Syslog Destination in Cribl LogStream:

Open Cribl's UI and navigate to Destinations > Syslog. Click on + Add New to create a new destination.

  1. Configure the Destination:

  • Name: Choose a name and output ID for the destination.

  • Protocol: Choose the protocol for the syslog messages. Select the TCP protocol.

  • Destination Address: Input the address of the Axiom endpoint to which you want to send logs. This address is generated from your Syslog endpoint in Axiom and follows this format: tcp+tls://qsfgsfhjsfkbx9.syslog.axiom.co:6514.

  • Destination Port: Enter the port number on which the Axiom endpoint is listening for syslog messages which is 6514

  • Format: Choose the syslog message format. RFC3164 is a common format and is generally recommended.

  • Facility: Choose the facility code to use in the syslog messages. The facility code represents the type of process that is generating the syslog messages.

  • Severity: Choose the severity level to use in the syslog messages. The severity level represents the importance of the syslog messages.

Cribl logstream Destination

  1. Configure the Message:

  • Timestamp Format: Choose the timestamp format to use in the syslog messages.

  • Application Name Field: Enter the name of the field to use as the application name in the syslog messages.

  • Message Field: Enter the name of the field to use as the message in the syslog messages. Typically, this would be _raw.

  • Throttling: Enter the throttling value. Throttling is a mechanism to control the data flow rate from the source (Cribl) to the destination (in this case, an Axiom Syslog Endpoint).

Configure the syslog message

  1. Save and Enable the Destination:

After you've finished configuring the destination, save your changes and make sure the destination is enabled.

Was this page helpful?