Sold by: Cribl
Deployed on AWS
Free Trial
Vendor Insights
Quick Launch
Cribl.Cloud gives control over IT and security data without the hassle of running infrastructure.
4.3
Overview
Cribl.Cloud is the easiest way to try Cribl products in the cloud through a unified platform. Cribls suite of products gives flexibility and control back to customers. With routing, shaping, enriching, and search functionalities that make data more manageable, you can easily clean up your data, get it where it needs to be, work more efficiently, and ultimately gain the control and confidence needed to be successful.
Cribl Cloud suite of products includes:
Stream: A highly scalable data router for data collection, reduction, enrichment, and routing of observability data.
Edge: An intelligent, scalable edge-based data collection system for logs, metrics, and application data.
Lake: Storage that does not lock data in. Cribl Lake is a turnkey data lake makes it easy and economical to store, access, replay, and analyze data no expertise needed.
Search: A search feature to perform federated search-in-place queries on any data, in any form.
Getting Started
When you purchase your Cribl.Cloud subscription directly from the AWS Marketplace, you can experience a smooth billing process that you're already familiar with, without needing to set up a separate procurement plan to use Cribl products. Track billing and usage directly in Cribl.Cloud.
Enjoy a quick and easy purchasing experience by utilizing your existing spend commitments through the AWS Enterprise Discount Program (EDP) to subscribe to Cribl.Cloud. Get flexible pricing and terms by purchasing through a private offer. Purchase the Cribl Cloud Suite of offerings at a pre-negotiated price. Contact awsmp@cribl.io or a sales representative for flexible pricing for 12/24/36-month terms.
We are available in US-West-2 (Oregon), US-East-2 (Ohio), US-East-1 (Virginia), CA-Central-1 (Canada Central), EU-West-2 (London), EU-Central-1 (Frankfurt), and AP-Southeast-2 (Sydney) with more regions coming soon! Regional pricing will apply.
To learn more about pricing and the consumption pricing philosophy, please visit: Cribl Pricing - https://cribl.io/cribl-pricing/ Cribl.Cloud Simplified with Consumption Pricing Blog - https://cribl.io/blog/cribl-cloud-consumption-pricing/
Highlights
- Fast and easy onboarding - With zero-touch deployment, you can quickly start using Cribl products without the hassle, burden, and cost of managing infrastructure.
- Instant scalability - The cloud provides flexibility to easily scale up or down to meet changing business needs and dynamic data demands.
- Trusted security - Cribl knows how important protecting data is, and built all Cribl products and services from the ground up with security as the top priority. Cribl.Cloud is SOC 2 compliant, ensuring all your data is protected and secure. Cribl.Cloud is currently In Process for FedRAMP IL4.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
Security credentials achieved
(2)
ISO27001
SOC2
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Quick Launch
Leverage AWS CloudFormation templates to reduce the time and resources required to configure, deploy, and launch your software.
Pricing
Free trial
Try this product free according to the free trial terms set by the vendor.
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Cribl.Cloud Free | Cribl.Cloud Suite Free Tier | $0.00 |
Cribl.Cloud Enterprise | Cribl.Cloud Suite Enterprise with 1TB Daily ingestion | $142,800.00 |
Dimension | Cost/unit |
|---|---|
Overage Fees | $0.01 |
Vendor refund policy
Cribl will refund prior payments attributable to the unused remainder of your purchase.
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Additional details
Usage instructions
Cribl Cloud Trust IAM Role CloudFormation Template
This CloudFormation template creates an IAM role that allows Cribl Cloud to access specific AWS resources in your account. The role is designed to provide Cribl Cloud with the necessary permissions to interact with S3 buckets and SQS queues.
Template Overview
The template does the following:
- Creates an IAM role named CriblTrustCloud
- Configures a trust relationship with Cribl Cloud's AWS account
- Attaches a policy that grants access to S3 and SQS resources
- Outputs the role name, ARN, and an external ID for authentication
Parameters
- CriblCloudAccountID: The AWS account ID of Cribl Cloud (default: '012345678910')
IAM Role Details
Trust Relationship
The role trusts two specific roles in the Cribl Cloud account:
- arn:aws:iam::{CriblCloudAccountID}:role/search-exec-main
- arn:aws:iam::{CriblCloudAccountID}:role/main-default
These roles can assume the CriblTrustCloud role using the sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity actions.
Permissions
The role has a policy named CriblCloudS3SQSPolicy that grants the following permissions:
- S3 access:
- List buckets
- Get and put objects
- Get bucket location
- SQS access:
- Receive and delete messages
- Change message visibility
- Get queue attributes and URL
These permissions apply to all S3 buckets and SQS queues in the account.
Security Feature
The template includes a security feature that requires an external ID for authentication. This external ID is derived from the CloudFormation stack ID, providing an additional layer of security when assuming the role.
Outputs
The template provides three outputs:
- RoleName: The name of the created IAM role
- RoleArn: The ARN of the created role
- ExternalId: The external ID required for authentication when assuming the role
Usage
To use this template:
- Deploy it in your AWS account using CloudFormation
- Provide the resulting role ARN and external ID to Cribl Cloud
- Cribl Cloud can then assume this role to access your S3 and SQS resources
Remember to review and adjust the permissions as necessary to align with your security requirements and the specific needs of your Cribl Cloud integration1 2 3 .
<div style="text-align: center">⁂</div>Enable CloudTrail and VPC Flow Logging for Cribl Cloud
This document explains the resources that will be created when deploying the provided CloudFormation template. The template is designed to create an IAM role that trusts Cribl Cloud and sets up CloudTrail and VPC Flow logging to an S3 bucket.
Template Overview
The template automates the creation of AWS resources to enable centralized logging, specifically focusing on CloudTrail logs and VPC Flow Logs. It creates S3 buckets for storing these logs, SQS queues for triggering processes upon log arrival, and an IAM role to allow Cribl Cloud to access these logs.
Resources Created
Here's a breakdown of the resources defined in the CloudFormation template:
-
CriblCTQueue (AWS::SQS::Queue): Creates an SQS queue named according to the CTSQS parameter (default: cribl-cloudtrail-sqs). This queue will be used to trigger actions when new CloudTrail logs are written to the S3 bucket.
- Properties:
- QueueName: !Ref CTSQS - Sets the queue name to the value of the CTSQS parameter.
- Properties:
-
CriblCTQueuePolicy (AWS::SQS::QueuePolicy): Defines the policy for the CriblCTQueue, allowing s3.amazonaws.com to send messages to the queue. The policy includes a condition that the source account must match the AWS account ID in which the stack is deployed. This ensures only S3 events from the current AWS account can trigger the queue.
- Properties:
- PolicyDocument:
- Statement:
- Effect: Allow - Allows actions specified in the policy.
- Principal: Service: s3.amazonaws.com - Specifies the service that can perform the actions.
- Action: SQS:SendMessage - Allows sending messages to the queue.
- Resource: !GetAtt CriblCTQueue.Arn - The ARN of the SQS queue.
- Condition:
- StringEquals: 'aws:SourceAccount': !Ref AWS::AccountId - Restricts the source account to the account where the stack is deployed.
- Statement:
- Queues: !Ref CTSQS - Associates the policy with the SQS queue.
- PolicyDocument:
- Properties:
-
TrailBucket (AWS::S3::Bucket): Creates an S3 bucket used to store CloudTrail logs. The bucket is configured with a NotificationConfiguration that sends an event to the CriblCTQueue when a new object is created (specifically, a PUT operation). This will trigger processing when new CloudTrail logs are available.
- Properties:
- NotificationConfiguration:
- QueueConfigurations:
- Event: s3:ObjectCreated:Put - Specifies that the notification should be triggered when an object is created using a PUT operation.
- Queue: !GetAtt CriblCTQueue.Arn - The ARN of the SQS queue to send the notification to.
- QueueConfigurations:
- NotificationConfiguration:
- DependsOn: CriblCTQueuePolicy - Ensures that the queue policy is created before the bucket.
- Properties:
-
TrailBucketPolicy (AWS::S3::BucketPolicy): Defines the policy for the TrailBucket. This policy grants permissions to:
-
delivery.logs.amazonaws.com: Allows the AWS Logs service to write objects to the bucket, ensuring proper log delivery. It requires bucket-owner-full-control ACL.
-
cloudtrail.amazonaws.com: Allows CloudTrail to get the bucket ACL and put objects into the bucket. It also requires bucket-owner-full-control ACL.
-
A Deny statement that enforces the use of SSL for all requests to the bucket, enhancing security.
-
Properties:
- Bucket: !Ref TrailBucket - The name of the S3 bucket.
- PolicyDocument:
- Version: 2012-10-17 - The version of the policy document.
- Statement:
- Sid: AWSLogDeliveryWrite
- Effect: Allow - Allows the action specified.
- Principal: Service: delivery.logs.amazonaws.com - The AWS Logs service principal.
- Action: s3:PutObject - Allows putting objects into the bucket.
- Resource: !Sub '${TrailBucket.Arn}/AWSLogs/' - The S3 bucket and prefix to allow the action on.
- Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control - Requires the bucket-owner-full-control ACL.
- Sid: AWSCloudTrailAclCheck
- Effect: Allow
- Principal: Service: cloudtrail.amazonaws.com
- Action: s3:GetBucketAcl
- Resource: !Sub '${TrailBucket.Arn}'
- Sid: AWSCloudTrailWrite
- Effect: Allow
- Principal: Service: cloudtrail.amazonaws.com
- Action: s3:PutObject
- Resource: !Sub '${TrailBucket.Arn}/AWSLogs/*/*'
- Condition: StringEquals: 's3:x-amz-acl': 'bucket-owner-full-control'
- Sid: AllowSSLRequestsOnly
- Effect: Deny
- Principal: * - Applies to all principals.
- Action: s3:* - Denies all S3 actions.
- Resource:
- !GetAtt TrailBucket.Arn
- !Sub '${TrailBucket.Arn}/*'
- Condition: Bool: 'aws:SecureTransport': false - Denies requests that are not using SSL.
- Sid: AWSLogDeliveryWrite
-
-
ExternalTrail (AWS::CloudTrail::Trail): Creates a CloudTrail trail. It is configured to:
-
Store logs in the TrailBucket.
-
Include global service events.
-
Enable logging.
-
Create a multi-region trail.
-
Enable log file validation.
-
Properties:
- S3BucketName: !Ref TrailBucket - The name of the S3 bucket where the logs will be stored.
- IncludeGlobalServiceEvents: true - Includes global service events.
- IsLogging: true - Enables logging.
- IsMultiRegionTrail: true - Creates a multi-region trail.
- EnableLogFileValidation: true - Enables log file validation.
- TrailName: !Sub '${TrailBucket}-trail' - Sets the name of the trail.
-
DependsOn:
- TrailBucket
- TrailBucketPolicy
-
-
CriblVPCQueue (AWS::SQS::Queue): Creates an SQS queue named according to the VPCSQS parameter (default: cribl-vpc-sqs). This queue will be used to trigger actions when new VPC Flow Logs are written to the S3 bucket.
- Properties:
- QueueName: !Ref VPCSQS - Sets the queue name.
- Properties:
-
CriblVPCQueuePolicy (AWS::SQS::QueuePolicy): Defines the policy for the CriblVPCQueue, allowing s3.amazonaws.com to send messages to the queue. Similar to CriblCTQueuePolicy, it restricts access to events originating from the same AWS account.
- Properties:
- PolicyDocument:
- Statement:
- Effect: Allow
- Principal: Service: s3.amazonaws.com
- Action: SQS:SendMessage
- Resource: !GetAtt CriblVPCQueue.Arn
- Condition: StringEquals: 'aws:SourceAccount': !Ref "AWS::AccountId"
- Statement:
- Queues: !Ref VPCSQS
- PolicyDocument:
- Properties:
-
LogBucket (AWS::S3::Bucket): Creates an S3 bucket used to store VPC Flow Logs. The bucket is configured with a NotificationConfiguration to send an event to the CriblVPCQueue when new objects are created.
- Properties:
- NotificationConfiguration:
- QueueConfigurations:
- Event: s3:ObjectCreated:Put
- Queue: !GetAtt CriblVPCQueue.Arn
- QueueConfigurations:
- NotificationConfiguration:
- DependsOn: CriblVPCQueuePolicy
- Properties:
-
LogBucketPolicy (AWS::S3::BucketPolicy): Defines the policy for the LogBucket. This policy grants permissions to:
-
delivery.logs.amazonaws.com: Allows the AWS Logs service to write objects to the bucket. It requires bucket-owner-full-control ACL.
-
Allows delivery.logs.amazonaws.com to get the bucket ACL.
-
Enforces SSL for all requests to the bucket.
-
Properties:
- Bucket: !Ref LogBucket
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Sid: AWSLogDeliveryWrite
- Effect: Allow
- Principal: Service: delivery.logs.amazonaws.com
- Action: s3:PutObject
- Resource: !Sub '${LogBucket.Arn}/AWSLogs/${AWS::AccountId}/*'
- Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control
- Sid: AWSLogDeliveryAclCheck
- Effect: Allow
- Principal: Service: delivery.logs.amazonaws.com
- Action: s3:GetBucketAcl
- Resource: !GetAtt LogBucket.Arn
- Sid: AllowSSLRequestsOnly
- Effect: Deny
- Principal: *
- Action: s3:*
- Resource:
- !GetAtt LogBucket.Arn
- !Sub '${LogBucket.Arn}/*'
- Condition: Bool: 'aws:SecureTransport': false
- Sid: AWSLogDeliveryWrite
-
-
FlowLog (AWS::EC2::FlowLog): Creates a VPC Flow Log that captures network traffic information for the VPC specified in the VPCId parameter. The flow logs are stored in the LogBucket. The type of traffic to log is determined by the TrafficType parameter (ALL, ACCEPT, or REJECT).
- Properties:
- LogDestination: !Sub 'arn:${AWS::Partition}:s3:::${LogBucket}' - The ARN of the S3 bucket where the flow logs will be stored.
- LogDestinationType: s3 - Specifies that the destination is an S3 bucket.
- ResourceId: !Ref VPCId - The ID of the VPC to log.
- ResourceType: VPC - Specifies that the resource is a VPC.
- TrafficType: !Ref TrafficType - The type of traffic to log (ALL, ACCEPT, REJECT).
- Properties:
-
CriblTrustCloud (AWS::IAM::Role): Creates an IAM role that allows Cribl Cloud to access AWS resources.
- Properties:
- AssumeRolePolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Principal:
- AWS:
- !Sub 'arn:aws:iam::${CriblCloudAccountID}:role/search-exec-main'
- !Sub 'arn:aws:iam::${CriblCloudAccountID}:role/main-default'
- AWS:
- Action:
- sts:AssumeRole
- sts:TagSession
- sts:SetSourceIdentity
- Condition:
- StringEquals: 'sts:ExternalId': !Select - 4 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref 'AWS::StackId'
- Description: Role to provide access AWS resources from Cribl Cloud Trust
- Policies:
- PolicyName: SQS
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- Resource:
- !GetAtt CriblCTQueue.Arn
- !GetAtt CriblVPCQueue.Arn
- PolicyDocument:
- PolicyName: S3EmbeddedInlinePolicy
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Action:
- s3:ListBucket
- s3:GetObject
- s3:PutObject
- s3:GetBucketLocation
- Resource:
- !Sub ${TrailBucket.Arn}
- !Sub ${TrailBucket.Arn}/*
- !Sub ${LogBucket.Arn}
- !Sub ${LogBucket.Arn}/*
- PolicyDocument:
- PolicyName: SQS
- AssumeRolePolicyDocument:
- Properties:
Parameters
The template utilizes parameters to allow customization during deployment:
- CriblCloudAccountID: The AWS account ID of the Cribl Cloud instance. This is required for the IAM role's trust relationship.
- Description: Cribl Cloud Trust AWS Account ID. Navigate to Cribl.Cloud, go to Workspace and click on Access. Find the Trust and copy the AWS Account ID found in the trust ARN.
- Type: String
- Default: '012345678910'
- CTSQS: The name of the SQS queue for CloudTrail logs.
- Description: Name of the SQS queue for CloudTrail to trigger for S3 log retrieval.
- Type: String
- Default: cribl-cloudtrail-sqs
- TrafficType: The type of traffic to log for VPC Flow Logs (ALL, ACCEPT, REJECT).
- Description: The type of traffic to log.
- Type: String
- Default: ALL
- AllowedValues: ACCEPT, REJECT, ALL
- VPCSQS: The name of the SQS queue for VPC Flow Logs.
- Description: Name of the SQS for VPCFlow Logs.
- Type: String
- Default: cribl-vpc-sqs
- VPCId: The ID of the VPC for which to enable flow logging.
- Description: Select your VPC to enable logging
- Type: AWS::EC2::VPC::Id
Outputs
The template defines outputs that provide key information about the created resources:
- CloudTrailS3Bucket: The ARN of the S3 bucket storing CloudTrail logs.
- Description: Amazon S3 Bucket for CloudTrail Events
- Value: !GetAtt TrailBucket.Arn
- VPCFlowLogsS3Bucket: The ARN of the S3 bucket storing VPC Flow Logs.
- Description: Amazon S3 Bucket for VPC Flow Logs
- Value: !GetAtt LogBucket.Arn
- RoleName: The name of the created IAM role.
- Description: Name of created IAM Role
- Value: !Ref CriblTrustCloud
- RoleArn: The ARN of the created IAM role.
- Description: Arn of created Role
- Value: !GetAtt CriblTrustCloud.Arn
- ExternalId: The external ID used for authentication when assuming the IAM role.
- Description: External Id for authentication
- Value: !Select - 4 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref 'AWS::StackId'
Deployment Considerations
- Cribl Cloud Account ID: Ensure the CriblCloudAccountID parameter is set to the correct AWS account ID for your Cribl Cloud instance. This is crucial for establishing the trust relationship.
- S3 Bucket Names: S3 bucket names must be globally unique. If the template is deployed multiple times in the same region, you may need to adjust the names of the buckets. Consider using a Stack name prefix.
- VPC ID: The VPCId parameter should be set to the ID of the VPC for which you want to enable flow logging.
- Security: Regularly review and update IAM policies to adhere to the principle of least privilege. Consider using more restrictive S3 bucket policies if necessary.
- SQS Queue Configuration: Monitor the SQS queues for backlog and adjust the processing capacity accordingly.
- CloudTrail Configuration: Confirm that CloudTrail is properly configured to deliver logs to the designated S3 bucket.
- VPC Flow Log Configuration: Verify that VPC Flow Logs are correctly capturing network traffic.
- External ID: The External ID is a critical security measure for cross-account access. Make sure it's correctly configured in both AWS and Cribl Cloud.
This detailed explanation provides a comprehensive understanding of the resources created by the CloudFormation template, enabling informed deployment and management. Remember to adapt parameters to your specific environment and security requirements.
Footnotes
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
Top
10
In Log Management, Security Observability
Top
10
In Migration, Monitoring, Continuous Integration and Continuous Delivery
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Data Routing
Highly scalable data router for collection, reduction, enrichment, and routing of observability data
Edge Data Collection
Intelligent and scalable edge-based system for collecting logs, metrics, and application data
Data Lake Storage
Flexible storage solution that enables storing, accessing, replaying, and analyzing data without expertise requirements
Federated Search
Capability to perform search-in-place queries across diverse data formats and sources
Security Compliance
SOC 2 compliant platform with in-process FedRAMP IL4 certification, built with security as a core design principle
Data Collection and Indexing
Real-time collection and indexing of machine-generated data from diverse sources and locations
Event Correlation
Advanced correlation capabilities including time-based, transaction-based, sub-searches, lookups, and joins across multiple data sources
Scalability
Capability to collect and index tens of terabytes of data per day with distributed computing architecture
High Availability
Clustering technology ensuring continuous data availability and system reliability during scale-out operations
Machine Data Analysis
Comprehensive platform for searching, analyzing, and visualizing massive streams of machine data from physical, virtual, and cloud infrastructures
Telemetry Data Management
Comprehensive platform to ingest, analyze, and alert on metrics, events, logs, and traces across infrastructure
Multi-Stack Observability
Full-stack monitoring capability providing integrated visualization and troubleshooting across software environments
Intelligent Anomaly Detection
Automated system for detecting performance anomalies, correlating issues, and reducing alert noise
AWS Service Integration
Deep integration with AWS technology stack enabling telemetry data collection from multiple AWS services including EKS, Lambda, Kinesis, and CloudWatch
SAP Environment Monitoring
Agentless monitoring solution supporting multiple SAP systems including ABAP, ECC, S/4HANA, BTP, with insights into CPU, databases, RFC details, and background jobs
Validated by AWS Marketplace
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
-
-
-
-
No security profile
No security profile
Standard contract
No
No
No
Customer reviews
Preetham KumarT.S.B
Log routing has reduced data volume and now supports efficient cloud security monitoring
Reviewed on Dec 30, 2025
Review provided by PeerSpot
What is our primary use case?
My usual use cases for Cribl involve collecting logs from many endpoints, including user activities. We collect logs into either Log Analytical Workspace or Event Hub and redirect to Cribl so that Cribl filters the required logs and redirects them to the SIEM tool.
We do not get a chance to use the user interface of Cribl because our client has access to that; we only implement and do that. They will check whether it is there, but based on my experience, it will be pretty easy to see what is in the user interface, and it will be easy to manage as well.
We have not used Cribl Search to a large extent because the client requirement was to only implement Cribl and integrate it with the SIEM . We have not used Cribl Search extensively, and I do not have any information about it.
What is most valuable?
The features of Cribl that I prefer most include the way it can easily be interfaced to SIEM and Event Hubs in Log Analytical Workspace. From Sentinel and from any other tool, it can easily be interfaced and it can send data to SIEM; those features I prefer to use most.
In assessing Cribl's ability to handle high volumes of diverse data types such as logs and metrics, as of now we have not faced any problems in collecting a large number of logs. Cribl is pretty efficient in collecting logs even when there are too many logs flowing at a time. We can collect not only server logs but also OS logs and even audit logs without any difficulty, and there has been no blockage in the system. There are no complaints, but it has been a very good experience using Cribl. Since this is a software as a service, if any problem exists, we just raise a ticket to Cribl team, and they will immediately jump into that and resolve all the questions or queries we raise.
Regarding Cribl's scalability, we did not have any problems with any cloud compatibility. The client requirement was to use Cribl, and we were checking whether it is compatible with Azure . Within a single day, we got a solution that it is easily compatible. We just needed some prerequisites, such as opening a few ports, and we wanted to ensure that everything was working regarding the reachability of the client to the agents. Once this was done, we did not have any issues.
What needs improvement?
I am not in a position to comment on how Cribl could be improved or enhanced because it is a good tool, and I have only used a small part of the entire Cribl product. As of now I am pretty happy with the entire Cribl component, but there are still a lot of things to learn.
For how long have I used the solution?
I have been working with Cribl for the last six months.
What do I think about the stability of the solution?
In assessing the stability and reliability of Cribl, as of now we do not have any problems with stability. Even though we had two worker nodes in one region and a load balancer, we did not face any system issues. In case of vulnerability where we wanted to patch any one worker node, we easily did that and switched it on. We never faced a problem where some software was not there and therefore not working. Reliability-wise, Cribl is working perfectly fine.
Regarding scalability, we started with zero servers and have around 285 servers now. We did not experience any problems or slowdowns due to a lot of load. Cribl neatly managed everything.
What do I think about the scalability of the solution?
I can rate Cribl's scalability around 9; I would say 9.5.
How are customer service and support?
I have addressed the technical support team of Cribl. Every now and then, if there are servers having legacy operating systems, the latest versions of Cribl will not be supported. We have to contact them and ask which version will be supported because they have prerequisites. Based on the prerequisite, we have to downgrade to an older version of Cribl rather than use the newer version because it expects some advanced Java version. However, due to legacy systems, we do not get all those things. We manage this because those are all crown jewels of the client, and we do not want to change anything there, so we downgrade Cribl version and install it. We did not find any blockers because of this downgrading.
The skills and professionalism of the technical support team from Cribl are very good in terms of timing and skills. They understand the problem clearly, and once they understand it, they will resolve it within a day. Sometimes they resolve it within hours. Sometimes by hearing the problem itself, they will know what the solution is, and they will let us know how to resolve it, and we do it immediately.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I left the organization and I am no longer in the same organization, so I do not get a chance to work with these products (Darktrace , Microsoft Defender, and Perception Point Advanced Email Security ) anymore.
How was the initial setup?
For deploying or setting up Cribl, the requirements were given by the client, and we had to abide by that. Cribl was the only tool we had to use according to our requirement. We started with the deployment where they had given the requirements, and then we started with that and performed it successfully, starting with installing agents in all other servers.
The deployment and setup process of Cribl was straightforward because there are two ways to deploy. We can get an EXE, click and enter the details, or there is an automated script where we can run it and it will do it automatically. In the case of Linux, it will update and install the latest package, which is also quite easy. It is not a very tough thing to install any agent inside the system. It is pretty easy.
What about the implementation team?
For support, we always raise a ticket to Cribl. We do not get the entire thing, but support activity is what we get. I have just implemented and I have just redirected the logs into Cribl for collecting all the security loggings.
I am an end user of Cribl. We manage Cribl for only implementation. As we have just implemented it, I am using it in our organization.
What was our ROI?
In sharing my thoughts on Cribl's ability to contain data cost and complexity, nowadays because of events per second, the way of SIEM billability is based on events per second. If you inject logs into Cribl, we can save a lot of data. Many logs are repeated logs. We can easily avoid repeated logging into the SIEM, which will also reduce the fatigue for the SOC engineers. This is one positive aspect of using Cribl, as we can reduce the number of events and increase flexibility and efficiency in the environment.
What's my experience with pricing, setup cost, and licensing?
I'm not sure of Cribl pricing because it has been procured as a package by our client, and we are not exposed to or do not have an idea of how much they have spent to get a license from Cribl. But I understand that it is a little bit on the higher side. However, for what we have paid, the quality of service which they have provided makes us happy with that.
Which other solutions did I evaluate?
I do not think that if the pricing is on the higher side, it could be suitable for all types of users, such as small or medium ones. Each security component is important these days, and I feel Cribl usage always helps the product. However, it also depends on the budget they have. If they are able to use Cribl as a log monitoring tool for the SIEM according to their budget, it would be good. Again, there are pros and cons which we have to consider about their budget. If it is a very small organization, Log Analytical Workspace would be enough to collect all the logs. But if it is a big organization and budget is not a concern, I think they can go for log monitoring.
What other advice do I have?
I have not seen a decrease in firewall logs with Cribl so far. What we do is use Event Hub. We actually redirect the entire thing to SIEM, so it will not come via Cribl. It will come via Cribl, but it will filter the required things based on our use case. We do not write all the packets because most of the packets would have been filtered in the firewall itself. Whatever packets are coming towards the firewall, if we want to collect the logs, we are directly interfacing with SIEM and we will collect it from there so that we do not want to lose what is the external activity on the internet towards our environment.
Based on everything I just described, I would rate Cribl overall as 10 out of 10. I have not used other parts of the feature; for whatever log monitoring I have used for Cribl, I always try to rate the maximum. However, I have not used Cribl Lake, Cribl Search, and other things they offer, so I cannot comment on those.
Holly Saha
Centralized log routing has reduced data complexity and manages diverse internal security telemetry efficiently
Reviewed on Nov 26, 2025
Review provided by PeerSpot
What is our primary use case?
Cribl is used to manage routing of different log systems and vulnerability type log scanning and retention, which is then re-routed to log retention servers. Firewall logs are sent directly from firewalls into Splunk, which is where Cribl also sends data, so Cribl is bypassed for firewalls. Cribl is primarily utilized for internal servers, systems, and endpoints.
What is most valuable?
The ability to make different variations and adjustments within Cribl to scan for specific items or to get an overall scan is valuable. Cribl's ability to contain data cost and complexity makes the system much easier to use. The cost is higher than preferred, but it is considered the cost of doing business. Data ingestion costs increase with higher ingestion levels, but by maintaining similar or lower levels and refining tuning and ingestion as it comes, costs have been maintained and remain within expectations.
Cribl's interface is user-friendly and easy to learn, making it simple to teach new users how to use it.
What needs improvement?
Cribl handles a high volume of diverse data types very well, such as logs and metrics. However, the endpoint plug-in tool can use some refinement, as it tends to hit system resources and can sometimes be detrimental to systems to the point where it must be turned off and a scan restarted when a user is offline.
Outside of the endpoint issue, there may not be much that Cribl can do better in the program itself. It becomes tedious when one-off fixes are needed because a user submits a ticket complaining that their system is unusable due to Cribl performing a scan.
For how long have I used the solution?
Cribl has been used for approximately six years in a career, not necessarily on this job only.
What do I think about the stability of the solution?
No lagging, crashing, downtime, or instability has been observed in Cribl itself, only in the endpoint scanner. The system itself has been very solid.
What do I think about the scalability of the solution?
Cribl is fairly easy to scale. If ingestion levels need to increase or decrease, adding new nodes is not an issue. Adding the endpoint scanner is not difficult and is fairly easy to use and upscale as needed.
How are customer service and support?
Customer support or technical support through a ticket or email has not been contacted personally. The DevOps team, which handles maintenance updates, has contacted support when running into an issue, which may occur once a year if that, so nothing major has been cause for concern.
How was the initial setup?
The initial deployment of Cribl was somewhat tedious due to the environment being specialized and restricted in an air-gapped setup, so everything had to be built on-premise. This made deployment more difficult when unable to reach the internet to get updates. It took some time, but this was strictly due to the restricted environment, as everything had to be placed on a hard drive, brought across, updated, and then troubleshot through that effort.
Which other solutions did I evaluate?
No alternatives to Cribl have been tried because there has been no need to.
What other advice do I have?
Cribl requires routine updates, with no other real maintenance required. This review is rated an eight out of ten.
Aman Verma
Has helped reduce daily log volume significantly and streamline data routing across multiple destinations
Reviewed on Oct 30, 2025
Review provided by PeerSpot
What is our primary use case?
I'm a SIEM engineer and we use Splunk and other SIEM tools. Since other SIEM tools are too expensive and security teams need different data to come into their SIEM tools, Cribl helps us filter out unwanted logs coming from syslog devices and other networking devices, which saves our license. We save around 2.2 TB every day using Cribl . All our logs go to Splunk, and we have Cribl positioned between our log sources and Splunk as the main function.
We also use Cribl for filtering and sending data to different outputs. One output is Splunk, and others include Kafka topics and different source sites like Pub/Subs, HEC endpoints, Google Pub/Sub, and Amazon S3 buckets for long-term retention of certain logs.
Recently, I have not yet worked with Cribl Cloud in production, but I had an opportunity to get hands-on experience with their lab environment.
What is most valuable?
I loved the way they created their cloud and their AI capabilities are good there. Another valuable feature of Cribl on-premises is the way it helps us filter out logs. It's a very easy tool to understand for someone new to these things, and it's easy for us to explain to new recruits we hire.
Firewall logs contain a lot of entries that security teams and audit teams don't require. We use filtering and regex in Cribl to remove unwanted logs that no one requires, such as entry logs and in-and-out logs that the syslog and firewall device would send anyway. We only need the threat logs and security logs. We save around 1 to 2 TB of logs every day using Cribl.
What needs improvement?
Regarding complexity, as I mentioned before, Cribl is very simple to use. When I started 2.5 years ago, it was very easy to learn. I learned Cribl within a week, and even though I was a fresher at the time, it was easy to understand and not complex enough that someone would need to spend money on labs. It's not that complex to learn.
Regarding cost efficiency, it's very good because nowadays the SIEM tools we use are too expensive on license, and SIEM tools base their license on how many logs get ingested. The unwanted logs, particularly firewall logs, represent a significant portion of unnecessary ingestion. Cribl saves our license by filtering out half of the firewall logs that are unwanted. Our main purpose for using Cribl is to save our license and save money.
Currently, everyone is moving toward AI agents. We currently use regex, and AI agents could help us create those regex patterns to drop events or add raw data to events. Currently, we sit down, review the logs, and create regex patterns manually, which can be time-consuming. An AI agent could reduce this time. I read some articles indicating that Cribl Cloud has started using AI and considering MCPs and model context, but I'm not certain how far along they are. If Cribl asked me what they could improve, that would be my suggestion. The support is very good, and I had a few issues with Cribl where I raised support cases and received good responses, which is better than the quick response I didn't get from other SIEM tools and vendor tools I use.
Compared to other SIEM tools, Cribl is cheaper than Splunk and DataDogs. However, it's still a bit expensive from my point of view, though I won't call it expensive. Overall, I think 99% of companies use Cribl before their SIEM tools, and compared to SIEM tools, Cribl is cheaper. Companies can use any SIEM tool such as Google, Splunk, or Cisco, and Cribl is cheaper than those SIEM tools. They might have a slight chance to reduce costs further, but I'm not the correct person to evaluate that since I'm more focused on the operational side.
Regarding training, it was quite easy to grasp. It took me almost a week to understand the basic functionalities and what Cribl does. Getting more expertise took additional time, but basic functionalities and understanding what Cribl does took around four to five days. One point I want to mention is that Cribl could improve their labs or training materials in their Cribl Cloud or whatever portal they have.
For how long have I used the solution?
I have been using Cribl personally for around 2.5 to 2.8 years. My company has been using it for a longer time, but I joined the company seven months ago, so my hands-on experience with it is around 2.5 to 2.8 years.
What do I think about the stability of the solution?
Regarding the metric part, I haven't worked much with it, so I can't tell much more about that. However, regarding log volume, it's very good. I have personally used Cribl with 10 to 12 TB of data per day in 24 hours, and I have not found any problem with log latency or ingestion issues, or Cribl not being able to handle this volume. I have not faced such issues on the logging side. On the metric side, I'm too new to provide an answer.
Currently, I haven't seen any instability or latency issues. We tried to boost logs from 4 to 5 TB up to 7 to 10 to 12 TB, and we didn't find any lagging or Cribl going down. We found initially negligible latency, but with the help of their support team, we figured out how to improve our latency. Till now, I haven't seen any outage or severe outage that would require a serious discussion about needing a resource to maintain Cribl. I don't recall the last time we maintained Cribl or checked how it's running. Maintenance is very rare.
What do I think about the scalability of the solution?
Cribl scales very well. I'm not entirely certain about the license aspect since it's based on how much log volume we put in. Initially, we had around 3 to 4 TB of license ingestion, and then we increased it to 8 to 10 TB. We raised a request to increase the license and got a new license with 8 to 10 TB of logs per day ingestion capacity. We were able to scale it very quickly without much effort required. That was a doubling from four to eight or 10 TB, but I have never tried scaling beyond that, and I haven't heard people complaining that Cribl cannot scale up.
The best part about Cribl from a scalability point of view is that it doesn't require much operating system configuration. Otherwise, we need to check every time those servers get patched, and we need to verify that anything changed on the operating system doesn't affect Cribl. That's not happening with Cribl. Any small issue on the operating system end also doesn't impact Cribl. Compared to other SIEM tools I use, any slight change on the operating system end impacts a lot on our SIEM tools and other things, but Cribl performs well in that regard.
How are customer service and support?
The support is very good. I raised a few Cribl support cases for issues I encountered and received good support from them. This is better than the quick response I didn't receive from other SIEM tools and vendor tools I use.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We have not used license-based tools previously. We tried using Logstash and Fluentd, which are open-source tools, but only for demo purposes. Since those are open-source tools, we cannot compare open-source tools with license-based tools. I never had a chance to work on any license or vendor tool related to Cribl before.
How was the initial setup?
We check the latest version of Cribl and upgrade to the latest version or whatever version we are comfortable with if a new version is available. Overall, we don't see any regular maintenance required. We are using Cribl on our virtual machines, and one good point is that Cribl doesn't require much operating system configuration. Basic operating system configuration can run Cribl. Compared to other SIEM tools that need legitimate operating system configuration and their operating system kernel versions, Cribl is quite friendly in that regard. Simple basic operating system configuration works, and Cribl doesn't need regular maintenance where we need a resource running maintenance tasks every day.
What other advice do I have?
From an engineering view, I would rate Cribl nine out of ten. I'm not certain about the license and pricing aspects, which is the one thing I consider. Overall, I enjoy working with Cribl and would give it an eight to nine rating. However, I'll give it an eight because there are always points of refinement, and nothing is perfect. My overall review rating for this product is eight out of ten.
Samer Abdallah
Enables teams to run scheduled log searches while maintaining data privacy for compliance
Reviewed on Oct 15, 2025
Review from a verified AWS customer
What is our primary use case?
What is most valuable?
The features of Cribl that I appreciate the most are the ability for in-place searching for our logs, so we don't have to move our logs outside of our cloud, which gives us privacy and compliance requirements.
Other features that we appreciate are dashboarding, alerting, and the ability to save searches so we can rerun them again on a scheduled basis. These features benefit our company in a variety of ways; mostly, our operations team can rerun their searches on a daily basis without having to rewrite the queries, and the ability to keep the data privately in our buckets is a huge requirement for us.
Cribl's ability to contain data cost and complexity is good. The complexity is very minimal. The reason for that is that the data does not move from where it lives. So there is no cost and there is no complexity in terms of moving the data and processing the data out of where it lives currently. Everything is in place, which is huge, and it makes everything so simple.
Cribl is great at handling a variety of volume logs as it is scalable and it uses scalable infrastructure behind the scenes, which allows us to constantly add more logs and it is able to handle it nicely.
Cribl search affected our data exploration practices overall. Cribl search has affected us greatly, and it has optimized our operations teams' time and efficiency. They're able to troubleshoot and find issues for our customers in a minimal amount of time. It also allows us to go back and look, for example, three months back for specific issues. With other tools, it was taking us a lot longer.
The UI is very intuitive in the sense that it gives you the chance to write your own query and customize it. And then once you figure that out, you're able to save it and rerun it on a scheduled basis so you don't have to reconfigure the query every single time.
What needs improvement?
Cribl can be improved in some ways; one of which is the ability to search multiple regions. Currently, Cribl Search is dedicated to one bucket at a time in the case of S3 buckets. The ability to search for multiple buckets would be awesome.
For how long have I used the solution?
We have been using Cribl for a little over a year now, and we use specifically Cribl Search.
What do I think about the stability of the solution?
We have not experienced any downtime or crashes with Cribl; however, we have experienced some delays with some of the Cribl Search queries when the volume of data is humongous. In some parts, due to how the data is partitioned in our cloud, we were aware of those situations. Even though we did experience them, we anticipated those delays, so that was expected.
What do I think about the scalability of the solution?
The process of expanding usage is very smooth, and Cribl Search is very scalable since it does the searches in place where the data grows, and the infrastructure behind Cribl Search is also scalable as it uses a CPU and it just spawns horizontally more instances as it demands and requires.
How are customer service and support?
I would evaluate the customer service and technical support of Cribl as superb; honestly. Every time we had an issue, we created and opened a new ticket for Cribl support, and they were very responsive. Usually, within an hour, we get a response, and we are able to work with them back and forth until we resolve the issues.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Prior to Cribl, we were able to use cloud-native specific solutions which were costly and time-consuming to pinpoint and figure out problems that can happen within a time window. It was not an easy user interface, and operations complained. Because of that, we started looking into other solutions, and that's how we stumbled upon Cribl.
What was our ROI?
The biggest return on investment when using Cribl is our time minimization for our operations team. They're able to look for customer issues real quickly, as opposed to the previous tools that we had, which were more time-consuming and also more costly. The time saved using Cribl is hours per engineer - about three hours' worth.
What's my experience with pricing, setup cost, and licensing?
I did not deal with pricing directly. We had a team that dealt with Cribl.
Which other solutions did I evaluate?
We have looked into other solutions without naming names, and we considered major tools that are in the industry that are cloud-specific, cloud-native. What stood out was that Cribl is more cost-effective, and also, the main issue for us was we wanted to keep the data in our cloud.
We don't want to migrate it due to privacy concerns and compliance requirements. Cribl was about the only tool that actually was able to satisfy our requirements, which is mostly the reason why we chose Cribl.
What other advice do I have?
I would advise someone considering Cribl to really look into Cribl products, such as we did for Cribl Search, and really examine the challenges of huge volumes of logs, as Cribl has a really nice suite of products that would satisfy these requirements. Additionally, consider the requirements of data privacy, as the data does not get moved out of your cloud.
On a scale of one to ten, I rate this solution a nine.
Dhevasenapathy Ramasamy Shanmugasundaram
Has transformed data handling by collecting from diverse sources and reducing storage and licensing costs
Reviewed on Oct 15, 2025
Review from a verified AWS customer
What is our primary use case?
We started our Cribl journey at the end of 2022, but we have been evaluating Cribl since 2020. We have been using Cribl from the end of 2022 till now, and the use case that brought Cribl into the picture is a critical business application sending its transactional logs into a database which got overwhelmed due to the sheer volume of logs. We evaluated Cribl for that use case, and now it has evolved into much more than just servicing that use case in our organization, making it a three-plus-year journey into Cribl.
What is most valuable?
Cribl plays the core essential function of handling the data telemetry pipeline in our organization, enhancing the way we collect data and bring logs from different sources. The way we have deployed Cribl is to coexist with our existing toolsets, not replacing them but working alongside them to bring the data faster and easier while managing the licensing and transforming the data from various sources. The easy agentless collection is the first feature that comes to mind as one of the critical features I appreciate the most, along with its versatility to deploy Cribl Stream for agentless collection and Cribl Edge for agented collection wherever necessary.
Collecting data is where Cribl excels, as it allows us to collect data from diverse sources easily and route it to multiple destinations, all while providing the ability to transform or apply any type of redaction on the fly through an easy-to-use UI. The features mentioned, such as easy data collection from different sources, benefit us by allowing us to be agentless wherever possible. In today's IT world, with a hybrid multi-cloud environment, we can't always deploy agents to collect data, so Cribl's agentless collection mechanism helps us get data into our environment quickly.
Cribl has been instrumental in containing our data costs, especially as we use leading log aggregation and SIEM tools known for their heavy licensing costs by ingest. Placing Cribl in our data telemetry pipeline enables us to achieve streaming the same information to multiple destinations, which fast-tracks the way we conduct POCs with various tools in the realm of observability. I saved over $200,000 in licensing by enriching and transforming the data efficiently, dropping unnecessary information and only sending relevant data to our teams.
When discussing Cribl's ability to handle high volumes of diverse data, such as logs and metrics, it plays a pivotal role. It can be deployed as an agentless collector or an agented collector, giving us control over how we collect data from sources more efficiently. We can send data into an S3 or Cribl Lake, which helps control storage costs while providing better retention aligned with our organizational needs. Firewalls produce a lot of data essential for network troubleshooting and security analytics, and handling it with a third-party log aggregation vendor often incurs high licensing and storage costs. With Cribl, we offload firewall logs from our existing log aggregation tool into low-cost storage with higher retention periods, enabling us to search the data directly using Cribl's search functionalities, creating a unified view for our networking and security teams and achieving close to a 40% reduction in firewall logs.
What needs improvement?
Cribl can improve by providing automated analytics and advanced parsing capabilities since it handles data at its core. I'm particularly interested in innovations such as Cribl Guard for automated PCI and PII masking, and a more stringent role-based access control feature would enhance security and allow granular control over what users can see and access.
For how long have I used the solution?
I've been working in this industry for over a decade now, close to a 15-year mark, as I started my career as a system administrator and slowly grew into this managerial role. I've stayed close with the current technology I've worked with since my start till now, and for over seven years, I have been in the monitoring and logging area where I have developed myself into this management role.
What do I think about the scalability of the solution?
Cribl's scalability is impressive, playing a vital role in transforming our logging strategy with its vendor-agnostic design. We use a hybrid deployment approach and a pull mechanism for most data sources. Managing data onboarding and transition becomes easier with Cribl, allowing for efficient growth as needs increase.
How are customer service and support?
Cribl's customer service and technical support exceed expectations, with a knowledgeable sales team and service executive who assist in resolving issues swiftly. Most support requests arise from our limited product knowledge rather than product issues, and the Cribl support team resolves queries typically within four hours.
How would you rate customer service and support?
Positive
What was our ROI?
The biggest return on investment with Cribl is improved handling of data and efficient routing to multiple destinations, saving costs across infrastructure and licensing. Cribl is versatile and continues to develop, allowing us to strategize and manage our observability landscape effectively.
What's my experience with pricing, setup cost, and licensing?
Cribl has been excellent when it comes to pricing, setup cost, and licensing. The team navigates us through their models seamlessly and we adopt Cribl Cloud easily. Within a month's time, we're able to transfer 400 to 500 GB of data from a different logging solution, thus positioning Cribl as a core piece in our telemetry pipeline.
What other advice do I have?
Deploying Cribl is straightforward; we quickly set up our Cribl Cloud tenant and defined the architecture through resident services and core architects. We manage to create a hybrid deployment model efficiently, bringing substantial savings in licensing and infrastructure costs while enhancing our data handling capabilities.
We deploy in a hybrid model, integrating worker nodes and Edge fleet in our enterprise data centers and cloud platforms near our data sources while using Cribl Cloud for management, ensuring limited access to prevent unwanted changes. In our AI journey, we are just getting started, becoming somewhat novice in this area. Cribl has enabled us to lean toward AI by integrating tools such as Copilot, which helps fast-track building pipelines and generating scripts. With Copilot, we see increased productivity, making it a key feature that enhances how we learn and utilize Cribl.
Cribl Search has significantly improved the way we handle and explore data. Initially, we onboarded all networking devices to stream data into low-cost storage, using Cribl Search to query that data, which now gives our networking, security, and operations teams a single data set to query without the need to remember multiple sets. The setup is cost-effective, and the federated method of Cribl Search allows for efficient querying without performance loss, enhancing our analytics capabilities.
Cribl's user interface is straightforward and user-friendly, allowing us to set up data collection sources quickly. It's self-explanatory, helping me navigate and visualize data without relying solely on commands. I appreciate how Cribl's UX caters to users, making tools accessible without needing extensive knowledge transfers. Based on our usage, I would rate Cribl a 10 overall.