parsing #
I’ve been using logstash for years. It feels like I’ve been using it forever now. But it always seems like it’s on the way out (and then the logstash team releases some new feature that’s pretty cool). First there was the beats, then agent, and now there’s cribl.
cribl #
cribl stream is an interesting product, it has a lot of features and a pretty web interface to do everything from. Of course, I’m a huge fan of the cli, it’s an amazing “gui” for a lot of things. I also begudgingly know it’s not everyone’s cup of tea.
I’ve gotten the cribl user certification, but I haven’t really used the system. So I don’t remember everything, there are definitely some very important things that I’m forgetting (like how to keep my data source running, but maybe that just happens when there aren’t errors?).
errors? #
I “run” my own CA for my internal systems (thank you
Michael W. Lucas!).
It’s been a lot of help when it comes to me understanding tls, and
openssl specifically.
This isn’t a huge problem most of the time.
I’ve added the CA cert to my systems and the browsers that count.
Everything just works in most places.
Except cribl stream.
It doesn’t seem to use the system’s cert store, and I don’t see any
documentation on how to add the cert for a destination.
I also don’t see an option to skip verification for that destination.
So right now I’m pretty much stuck, unable to send my freshly parsed
data to my mostly empty elasticsearch.
To get around this, I’m currently using relayd with a let’s encrypt provided certificate. This isn’t ideal, but at least I’m currently getting my data.
mistakes #
Unfortunately I configured the id field to be a number instead of
text or keyword.
I’m not sure I’ll fix that yet or not, but it was definitely a mistake.