
Overview
Cribl Product Overview
How telemetry data was managed over the last 10 years will not work for the next 10. Cribl is purpose built to meet the unique challenges IT and Security teams face.
Cribl.Cloud is the easiest way to try Cribl products in the cloud through a unified platform. Cribls suite of products gives flexibility and control back to customers. With routing, shaping, enriching, and search functionalities that make data more manageable, you can easily clean up your data, get it where it needs to be, work more efficiently, and ultimately gain the control and confidence needed to be successful.
Cribl Cloud suite of products includes:
Stream: A highly scalable data router for data collection, reduction, enrichment, and routing of observability data.
Edge: An intelligent, scalable edge-based data collection system for logs, metrics, and application data.
Lake: Storage that does not lock data in. Cribl Lake is a turnkey data lake makes it easy and economical to store, access, replay, and analyze data no expertise needed.
Search: A search feature to perform federated search-in-place queries on any data, in any form.
Getting Started
When you purchase your Cribl.Cloud subscription directly from the AWS Marketplace, you can experience a smooth billing process that you're already familiar with, without needing to set up a separate procurement plan to use Cribl products. Track billing and usage directly in Cribl.Cloud.
Enjoy a quick and easy purchasing experience by utilizing your existing spend commitments through the AWS Enterprise Discount Program (EDP) to subscribe to Cribl.Cloud. Get flexible pricing and terms by purchasing through a private offer. Purchase the Cribl Cloud Suite of offerings at a pre-negotiated price. Contact awsmp@cribl.io or a sales representative for flexible pricing for 12/24/36-month terms.
We are available in US-West-2 (Oregon), US-East-2 (Ohio), US-East-1 (Virginia), CA-Central-1 (Canada Central), EU-West-2 (London), EU-Central-1 (Frankfurt), and AP-Southeast-2 (Sydney) with more regions coming soon! Regional pricing will apply.
To learn more about pricing and the consumption pricing philosophy, please visit: Cribl Pricing - https://cribl.io/cribl-pricing/ Cribl.Cloud Simplified with Consumption Pricing Blog - https://cribl.io/blog/cribl-cloud-consumption-pricing/
Highlights
- Fast and easy onboarding - With zero-touch deployment, you can quickly start using Cribl products without the hassle, burden, and cost of managing infrastructure.
- Instant scalability - The cloud provides flexibility to easily scale up or down to meet changing business needs and dynamic data demands.
- Trusted security - Cribl knows how important protecting data is, and built all Cribl products and services from the ground up with security as the top priority. Cribl.Cloud is SOC 2 compliant, ensuring all your data is protected and secure. Cribl.Cloud is currently In Process for FedRAMP IL4.
Details
Unlock automation with AI agent solutions

Features and programs
Security credentials achieved
(2)


Buyer guide

Financing for AWS Marketplace purchases
Quick Launch
Pricing
Free trial
| Dimension | Description | Cost/12 months | 
|---|---|---|
| Cribl.Cloud Free | Cribl.Cloud Suite Free Tier | $0.00 | 
| Cribl.Cloud Enterprise | Cribl.Cloud Suite Enterprise with 1TB Daily ingestion | $142,800.00 | 
The following dimensions are not included in the contract terms, which will be charged based on your usage.
| Dimension | Cost/unit | 
|---|---|
| Overage Fees | $0.01 | 
Vendor refund policy
Cribl will refund prior payments attributable to the unused remainder of your purchase.
Custom pricing options
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Additional details
Usage instructions
Cribl Cloud Trust IAM Role CloudFormation Template
This CloudFormation template creates an IAM role that allows Cribl Cloud to access specific AWS resources in your account. The role is designed to provide Cribl Cloud with the necessary permissions to interact with S3 buckets and SQS queues.
Template Overview
The template does the following:
- Creates an IAM role named CriblTrustCloud
- Configures a trust relationship with Cribl Cloud's AWS account
- Attaches a policy that grants access to S3 and SQS resources
- Outputs the role name, ARN, and an external ID for authentication
Parameters
- CriblCloudAccountID: The AWS account ID of Cribl Cloud (default: '012345678910')
IAM Role Details
Trust Relationship
The role trusts two specific roles in the Cribl Cloud account:
- arn:aws:iam::{CriblCloudAccountID}:role/search-exec-main
- arn:aws:iam::{CriblCloudAccountID}:role/main-default
These roles can assume the CriblTrustCloud role using the sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity actions.
Permissions
The role has a policy named CriblCloudS3SQSPolicy that grants the following permissions:
- S3 access:
- List buckets
- Get and put objects
- Get bucket location
 
- SQS access:
- Receive and delete messages
- Change message visibility
- Get queue attributes and URL
 
These permissions apply to all S3 buckets and SQS queues in the account.
Security Feature
The template includes a security feature that requires an external ID for authentication. This external ID is derived from the CloudFormation stack ID, providing an additional layer of security when assuming the role.
Outputs
The template provides three outputs:
- RoleName: The name of the created IAM role
- RoleArn: The ARN of the created role
- ExternalId: The external ID required for authentication when assuming the role
Usage
To use this template:
- Deploy it in your AWS account using CloudFormation
- Provide the resulting role ARN and external ID to Cribl Cloud
- Cribl Cloud can then assume this role to access your S3 and SQS resources
Remember to review and adjust the permissions as necessary to align with your security requirements and the specific needs of your Cribl Cloud integration1 2 3 .
<div style="text-align: center">⁂</div>Enable CloudTrail and VPC Flow Logging for Cribl Cloud
This document explains the resources that will be created when deploying the provided CloudFormation template. The template is designed to create an IAM role that trusts Cribl Cloud and sets up CloudTrail and VPC Flow logging to an S3 bucket.
Template Overview
The template automates the creation of AWS resources to enable centralized logging, specifically focusing on CloudTrail logs and VPC Flow Logs. It creates S3 buckets for storing these logs, SQS queues for triggering processes upon log arrival, and an IAM role to allow Cribl Cloud to access these logs.
Resources Created
Here's a breakdown of the resources defined in the CloudFormation template:
- 
CriblCTQueue (AWS::SQS::Queue): Creates an SQS queue named according to the CTSQS parameter (default: cribl-cloudtrail-sqs). This queue will be used to trigger actions when new CloudTrail logs are written to the S3 bucket. - Properties:
- QueueName: !Ref CTSQS - Sets the queue name to the value of the CTSQS parameter.
 
 
- Properties:
- 
CriblCTQueuePolicy (AWS::SQS::QueuePolicy): Defines the policy for the CriblCTQueue, allowing s3.amazonaws.com to send messages to the queue. The policy includes a condition that the source account must match the AWS account ID in which the stack is deployed. This ensures only S3 events from the current AWS account can trigger the queue. - Properties:
- PolicyDocument:
- Statement:
- Effect: Allow - Allows actions specified in the policy.
- Principal: Service: s3.amazonaws.com - Specifies the service that can perform the actions.
- Action: SQS:SendMessage - Allows sending messages to the queue.
- Resource: !GetAtt CriblCTQueue.Arn - The ARN of the SQS queue.
- Condition:
- StringEquals: 'aws:SourceAccount': !Ref AWS::AccountId - Restricts the source account to the account where the stack is deployed.
 
 
 
- Statement:
- Queues: !Ref CTSQS - Associates the policy with the SQS queue.
 
- PolicyDocument:
 
- Properties:
- 
TrailBucket (AWS::S3::Bucket): Creates an S3 bucket used to store CloudTrail logs. The bucket is configured with a NotificationConfiguration that sends an event to the CriblCTQueue when a new object is created (specifically, a PUT operation). This will trigger processing when new CloudTrail logs are available. - Properties:
- NotificationConfiguration:
- QueueConfigurations:
- Event: s3:ObjectCreated:Put - Specifies that the notification should be triggered when an object is created using a PUT operation.
- Queue: !GetAtt CriblCTQueue.Arn - The ARN of the SQS queue to send the notification to.
 
 
- QueueConfigurations:
 
- NotificationConfiguration:
- DependsOn: CriblCTQueuePolicy - Ensures that the queue policy is created before the bucket.
 
- Properties:
- 
TrailBucketPolicy (AWS::S3::BucketPolicy): Defines the policy for the TrailBucket. This policy grants permissions to: - 
delivery.logs.amazonaws.com: Allows the AWS Logs service to write objects to the bucket, ensuring proper log delivery. It requires bucket-owner-full-control ACL. 
- 
cloudtrail.amazonaws.com: Allows CloudTrail to get the bucket ACL and put objects into the bucket. It also requires bucket-owner-full-control ACL. 
- 
A Deny statement that enforces the use of SSL for all requests to the bucket, enhancing security. 
- 
Properties: - Bucket: !Ref TrailBucket - The name of the S3 bucket.
- PolicyDocument:
- Version: 2012-10-17 - The version of the policy document.
- Statement:
- Sid: AWSLogDeliveryWrite
- Effect: Allow - Allows the action specified.
- Principal: Service: delivery.logs.amazonaws.com - The AWS Logs service principal.
- Action: s3:PutObject - Allows putting objects into the bucket.
- Resource: !Sub '${TrailBucket.Arn}/AWSLogs/' - The S3 bucket and prefix to allow the action on.
- Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control - Requires the bucket-owner-full-control ACL.
 
- Sid: AWSCloudTrailAclCheck
- Effect: Allow
- Principal: Service: cloudtrail.amazonaws.com
- Action: s3:GetBucketAcl
- Resource: !Sub '${TrailBucket.Arn}'
 
- Sid: AWSCloudTrailWrite
- Effect: Allow
- Principal: Service: cloudtrail.amazonaws.com
- Action: s3:PutObject
- Resource: !Sub '${TrailBucket.Arn}/AWSLogs/*/*'
- Condition: StringEquals: 's3:x-amz-acl': 'bucket-owner-full-control'
 
- Sid: AllowSSLRequestsOnly
- Effect: Deny
- Principal: * - Applies to all principals.
- Action: s3:* - Denies all S3 actions.
- Resource:
- !GetAtt TrailBucket.Arn
- !Sub '${TrailBucket.Arn}/*'
 
- Condition: Bool: 'aws:SecureTransport': false - Denies requests that are not using SSL.
 
 
- Sid: AWSLogDeliveryWrite
 
 
 
- 
- 
ExternalTrail (AWS::CloudTrail::Trail): Creates a CloudTrail trail. It is configured to: - 
Store logs in the TrailBucket. 
- 
Include global service events. 
- 
Enable logging. 
- 
Create a multi-region trail. 
- 
Enable log file validation. 
- 
Properties: - S3BucketName: !Ref TrailBucket - The name of the S3 bucket where the logs will be stored.
- IncludeGlobalServiceEvents: true - Includes global service events.
- IsLogging: true - Enables logging.
- IsMultiRegionTrail: true - Creates a multi-region trail.
- EnableLogFileValidation: true - Enables log file validation.
- TrailName: !Sub '${TrailBucket}-trail' - Sets the name of the trail.
 
- 
DependsOn: - TrailBucket
- TrailBucketPolicy
 
 
- 
- 
CriblVPCQueue (AWS::SQS::Queue): Creates an SQS queue named according to the VPCSQS parameter (default: cribl-vpc-sqs). This queue will be used to trigger actions when new VPC Flow Logs are written to the S3 bucket. - Properties:
- QueueName: !Ref VPCSQS - Sets the queue name.
 
 
- Properties:
- 
CriblVPCQueuePolicy (AWS::SQS::QueuePolicy): Defines the policy for the CriblVPCQueue, allowing s3.amazonaws.com to send messages to the queue. Similar to CriblCTQueuePolicy, it restricts access to events originating from the same AWS account. - Properties:
- PolicyDocument:
- Statement:
- Effect: Allow
- Principal: Service: s3.amazonaws.com
- Action: SQS:SendMessage
- Resource: !GetAtt CriblVPCQueue.Arn
- Condition: StringEquals: 'aws:SourceAccount': !Ref "AWS::AccountId"
 
 
- Statement:
- Queues: !Ref VPCSQS
 
- PolicyDocument:
 
- Properties:
- 
LogBucket (AWS::S3::Bucket): Creates an S3 bucket used to store VPC Flow Logs. The bucket is configured with a NotificationConfiguration to send an event to the CriblVPCQueue when new objects are created. - Properties:
- NotificationConfiguration:
- QueueConfigurations:
- Event: s3:ObjectCreated:Put
- Queue: !GetAtt CriblVPCQueue.Arn
 
 
- QueueConfigurations:
 
- NotificationConfiguration:
- DependsOn: CriblVPCQueuePolicy
 
- Properties:
- 
LogBucketPolicy (AWS::S3::BucketPolicy): Defines the policy for the LogBucket. This policy grants permissions to: - 
delivery.logs.amazonaws.com: Allows the AWS Logs service to write objects to the bucket. It requires bucket-owner-full-control ACL. 
- 
Allows delivery.logs.amazonaws.com to get the bucket ACL. 
- 
Enforces SSL for all requests to the bucket. 
- 
Properties: - Bucket: !Ref LogBucket
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Sid: AWSLogDeliveryWrite
- Effect: Allow
- Principal: Service: delivery.logs.amazonaws.com
- Action: s3:PutObject
- Resource: !Sub '${LogBucket.Arn}/AWSLogs/${AWS::AccountId}/*'
- Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control
 
- Sid: AWSLogDeliveryAclCheck
- Effect: Allow
- Principal: Service: delivery.logs.amazonaws.com
- Action: s3:GetBucketAcl
- Resource: !GetAtt LogBucket.Arn
 
- Sid: AllowSSLRequestsOnly
- Effect: Deny
- Principal: *
- Action: s3:*
- Resource:
- !GetAtt LogBucket.Arn
- !Sub '${LogBucket.Arn}/*'
 
- Condition: Bool: 'aws:SecureTransport': false
 
 
- Sid: AWSLogDeliveryWrite
 
 
 
- 
- 
FlowLog (AWS::EC2::FlowLog): Creates a VPC Flow Log that captures network traffic information for the VPC specified in the VPCId parameter. The flow logs are stored in the LogBucket. The type of traffic to log is determined by the TrafficType parameter (ALL, ACCEPT, or REJECT). - Properties:
- LogDestination: !Sub 'arn:${AWS::Partition}:s3:::${LogBucket}' - The ARN of the S3 bucket where the flow logs will be stored.
- LogDestinationType: s3 - Specifies that the destination is an S3 bucket.
- ResourceId: !Ref VPCId - The ID of the VPC to log.
- ResourceType: VPC - Specifies that the resource is a VPC.
- TrafficType: !Ref TrafficType - The type of traffic to log (ALL, ACCEPT, REJECT).
 
 
- Properties:
- 
CriblTrustCloud (AWS::IAM::Role): Creates an IAM role that allows Cribl Cloud to access AWS resources. - Properties:
- AssumeRolePolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Principal:
- AWS:
- !Sub 'arn:aws:iam::${CriblCloudAccountID}:role/search-exec-main'
- !Sub 'arn:aws:iam::${CriblCloudAccountID}:role/main-default'
 
 
- AWS:
- Action:
- sts:AssumeRole
- sts:TagSession
- sts:SetSourceIdentity
 
- Condition:
- StringEquals: 'sts:ExternalId': !Select - 4 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref 'AWS::StackId'
 
 
 
- Description: Role to provide access AWS resources from Cribl Cloud Trust
- Policies:
- PolicyName: SQS
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
 
- Resource:
- !GetAtt CriblCTQueue.Arn
- !GetAtt CriblVPCQueue.Arn
 
 
 
 
- PolicyDocument:
- PolicyName: S3EmbeddedInlinePolicy
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Action:
- s3:ListBucket
- s3:GetObject
- s3:PutObject
- s3:GetBucketLocation
 
- Resource:
- !Sub ${TrailBucket.Arn}
- !Sub ${TrailBucket.Arn}/*
- !Sub ${LogBucket.Arn}
- !Sub ${LogBucket.Arn}/*
 
 
 
 
- PolicyDocument:
 
- PolicyName: SQS
 
- AssumeRolePolicyDocument:
 
- Properties:
Parameters
The template utilizes parameters to allow customization during deployment:
- CriblCloudAccountID: The AWS account ID of the Cribl Cloud instance. This is required for the IAM role's trust relationship.
- Description: Cribl Cloud Trust AWS Account ID. Navigate to Cribl.Cloud, go to Workspace and click on Access. Find the Trust and copy the AWS Account ID found in the trust ARN.
- Type: String
- Default: '012345678910'
 
- CTSQS: The name of the SQS queue for CloudTrail logs.
- Description: Name of the SQS queue for CloudTrail to trigger for S3 log retrieval.
- Type: String
- Default: cribl-cloudtrail-sqs
 
- TrafficType: The type of traffic to log for VPC Flow Logs (ALL, ACCEPT, REJECT).
- Description: The type of traffic to log.
- Type: String
- Default: ALL
- AllowedValues: ACCEPT, REJECT, ALL
 
- VPCSQS: The name of the SQS queue for VPC Flow Logs.
- Description: Name of the SQS for VPCFlow Logs.
- Type: String
- Default: cribl-vpc-sqs
 
- VPCId: The ID of the VPC for which to enable flow logging.
- Description: Select your VPC to enable logging
- Type: AWS::EC2::VPC::Id
 
Outputs
The template defines outputs that provide key information about the created resources:
- CloudTrailS3Bucket: The ARN of the S3 bucket storing CloudTrail logs.
- Description: Amazon S3 Bucket for CloudTrail Events
- Value: !GetAtt TrailBucket.Arn
 
- VPCFlowLogsS3Bucket: The ARN of the S3 bucket storing VPC Flow Logs.
- Description: Amazon S3 Bucket for VPC Flow Logs
- Value: !GetAtt LogBucket.Arn
 
- RoleName: The name of the created IAM role.
- Description: Name of created IAM Role
- Value: !Ref CriblTrustCloud
 
- RoleArn: The ARN of the created IAM role.
- Description: Arn of created Role
- Value: !GetAtt CriblTrustCloud.Arn
 
- ExternalId: The external ID used for authentication when assuming the IAM role.
- Description: External Id for authentication
- Value: !Select - 4 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref 'AWS::StackId'
 
Deployment Considerations
- Cribl Cloud Account ID: Ensure the CriblCloudAccountID parameter is set to the correct AWS account ID for your Cribl Cloud instance. This is crucial for establishing the trust relationship.
- S3 Bucket Names: S3 bucket names must be globally unique. If the template is deployed multiple times in the same region, you may need to adjust the names of the buckets. Consider using a Stack name prefix.
- VPC ID: The VPCId parameter should be set to the ID of the VPC for which you want to enable flow logging.
- Security: Regularly review and update IAM policies to adhere to the principle of least privilege. Consider using more restrictive S3 bucket policies if necessary.
- SQS Queue Configuration: Monitor the SQS queues for backlog and adjust the processing capacity accordingly.
- CloudTrail Configuration: Confirm that CloudTrail is properly configured to deliver logs to the designated S3 bucket.
- VPC Flow Log Configuration: Verify that VPC Flow Logs are correctly capturing network traffic.
- External ID: The External ID is a critical security measure for cross-account access. Make sure it's correctly configured in both AWS and Cribl Cloud.
This detailed explanation provides a comprehensive understanding of the resources created by the CloudFormation template, enabling informed deployment and management. Remember to adapt parameters to your specific environment and security requirements.
Footnotes
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
Standard contract
Customer reviews
Enables teams to run scheduled log searches while maintaining data privacy for compliance
What is our primary use case?
Our main use cases for Cribl are Cribl Search, which allows us to search for logs and metrics for our cloud engineering data.
What is most valuable?
The features of Cribl that I appreciate the most are the ability for in-place searching for our logs, so we don't have to move our logs outside of our cloud, which gives us privacy and compliance requirements.
Other features that we appreciate are dashboarding, alerting, and the ability to save searches so we can rerun them again on a scheduled basis. These features benefit our company in a variety of ways; mostly, our operations team can rerun their searches on a daily basis without having to rewrite the queries, and the ability to keep the data privately in our buckets is a huge requirement for us.
Cribl's ability to contain data cost and complexity is good. The complexity is very minimal. The reason for that is that the data does not move from where it lives. So there is no cost and there is no complexity in terms of moving the data and processing the data out of where it lives currently. Everything is in place, which is huge, and it makes everything so simple.
Cribl is great at handling a variety of volume logs as it is scalable and it uses scalable infrastructure behind the scenes, which allows us to constantly add more logs and it is able to handle it nicely.
Cribl search affected our data exploration practices overall. Cribl search has affected us greatly, and it has optimized our operations teams' time and efficiency. They're able to troubleshoot and find issues for our customers in a minimal amount of time. It also allows us to go back and look, for example, three months back for specific issues. With other tools, it was taking us a lot longer.
The UI is very intuitive in the sense that it gives you the chance to write your own query and customize it. And then once you figure that out, you're able to save it and rerun it on a scheduled basis so you don't have to reconfigure the query every single time.
What needs improvement?
Cribl can be improved in some ways; one of which is the ability to search multiple regions. Currently, Cribl Search is dedicated to one bucket at a time in the case of S3 buckets. The ability to search for multiple buckets would be awesome.
For how long have I used the solution?
We have been using Cribl for a little over a year now, and we use specifically Cribl Search.
What do I think about the stability of the solution?
We have not experienced any downtime or crashes with Cribl; however, we have experienced some delays with some of the Cribl Search queries when the volume of data is humongous. In some parts, due to how the data is partitioned in our cloud, we were aware of those situations. Even though we did experience them, we anticipated those delays, so that was expected.
What do I think about the scalability of the solution?
The process of expanding usage is very smooth, and Cribl Search is very scalable since it does the searches in place where the data grows, and the infrastructure behind Cribl Search is also scalable as it uses a CPU and it just spawns horizontally more instances as it demands and requires.
How are customer service and support?
I would evaluate the customer service and technical support of Cribl as superb; honestly. Every time we had an issue, we created and opened a new ticket for Cribl support, and they were very responsive. Usually, within an hour, we get a response, and we are able to work with them back and forth until we resolve the issues.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Prior to Cribl, we were able to use cloud-native specific solutions which were costly and time-consuming to pinpoint and figure out problems that can happen within a time window. It was not an easy user interface, and operations complained. Because of that, we started looking into other solutions, and that's how we stumbled upon Cribl.
What was our ROI?
The biggest return on investment when using Cribl is our time minimization for our operations team. They're able to look for customer issues real quickly, as opposed to the previous tools that we had, which were more time-consuming and also more costly. The time saved using Cribl is hours per engineer - about three hours' worth.
What's my experience with pricing, setup cost, and licensing?
I did not deal with pricing directly. We had a team that dealt with Cribl.
Which other solutions did I evaluate?
We have looked into other solutions without naming names, and we considered major tools that are in the industry that are cloud-specific, cloud-native. What stood out was that Cribl is more cost-effective, and also, the main issue for us was we wanted to keep the data in our cloud.
We don't want to migrate it due to privacy concerns and compliance requirements. Cribl was about the only tool that actually was able to satisfy our requirements, which is mostly the reason why we chose Cribl.
What other advice do I have?
I would advise someone considering Cribl to really look into Cribl products, such as we did for Cribl Search, and really examine the challenges of huge volumes of logs, as Cribl has a really nice suite of products that would satisfy these requirements. Additionally, consider the requirements of data privacy, as the data does not get moved out of your cloud.
On a scale of one to ten, I rate this solution a nine.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Has significantly reduced operational noise and simplified data routing for better log management
What is our primary use case?
Our main use case for Cribl is to help us reduce cost. Currently, we use the Stream and Edge products of Cribl , and it's on-premise for us. The Stream helps us with any optimization work that we have to do in terms of reduction of the data itself.
What is most valuable?
The Stream product benefits us by giving us the ability to reduce and streamline the logs flowing into our SIEM . Cribl Stream helps us optimize the data before it reaches our SIEM tools. We've performed extensive aggregation and deduplication of logs, allowing us to cut down unnecessary data before it's sent downstream. This has helped us reduce costs by controlling exactly what data gets forwarded to the SIEM.
In our case, we deal with very chatty logs, especially firewall and other network logs. Using Cribl’s aggregation and drop functions, we were able to significantly reduce the noise. We send a full copy of the raw data to S3 or another data lake, while only the reduced logs are sent to the SIEM.
Another major value we gained from Cribl was how quickly and efficiently our data pipeline became. Previously, onboarding new sources or clients was a challenge. Now, the process is semi-automated and far more streamlined compared to what we had before.
What needs improvement?
One area that could be improved is the aggregation functionality within Cribl. It's very difficult to aggregate low-volume logs because the worker processes don't share state. Since each worker process initiates separately, it becomes very challenging for aggregation to maintain a consistent state across them. As a result, aggregation becomes problematic, with different worker processes operating in different states while pulling data. A good improvement to the aggregation functionality would be if most of these events could somehow land in a central processing unit or repository, where aggregation could be applied before the data is sent downstream.
For how long have I used the solution?
I've been using Cribl for over three years now.
What do I think about the stability of the solution?
I can confidently say we’re finally getting some good sleep. Before Cribl, we were constantly getting late-night calls about data flow interruptions. Migrating from those SC4S servers to Cribl worker nodes has truly been a game-changer.
What do I think about the scalability of the solution?
In terms of scale, Cribl scales very efficiently because we do horizontal scaling. If we have a burst in data sources or an increase in data sources, all we have to do is add a new worker nodes, and usually that solves the problem.
How are customer service and support?
The customer service and the technical support team at Cribl has been very helpful to us. We've had some really unique cases where sometimes they would refer us to professional services, but they would come back with solutions from someone who may have run into that similar issue and provide us with a solution without having to go through professional services. This has been very helpful.
Which solution did I use previously and why did I switch?
Prior to Cribl, we were using SC4S, which had a syslog-ng engine, and we were doing a lot of manual work, especially when we had new data sources. We had to build something that didn't have a pre-built template within SC4S; it was a challenge to build out templates for it, especially with new folks joining the team sometimes who didn't have any clue about where these things were being kept. It was a huge challenge for us to build those templates for data sources that didn't have any templates at all.
We also had our heavy forwarders, which we were writing transformations and props to help us reduce data. It wasn't doing quite a very good job, and Cribl had some of these advanced functionalities such as aggregation and those drop functions, which was very easy to configure, whereas in the past with the heavy forwarders, it was very hard sometimes to even build transformations to do the same thing.
What about the implementation team?
When deploying Cribl, the process went very smooth because we had a Cribl engineer on our side who helped us significantly.
What was our ROI?
In terms of pricing, we had a very good deal with Cribl. We were paying very expensive SIEM costs, and introducing Cribl into the picture was able to bring down that cost. We were able to get the setup for the whole Cribl infrastructure at little to no cost, and it definitely brought us significant value and cost savings from that direction. In terms of reduction, we were able to save almost ~40% of our total cost.
Which other solutions did I evaluate?
Other products that we considered throughout the process included Splunk Ingest Processor, and we did a POC on that as well. Some of the positive aspects about the Ingest Processor was that it was right at the edge of your Splunk deployment and therefore there isn't any need to deploy or reshift your infrastructure; it actually goes right into it and then feeds into your Splunk environment. In terms of the disadvantages of Splunk Ingest Processor, it has very limited functionalities compared to what we were getting from Cribl. Cribl gives us the aggregation functionality, which was a huge win for us, being able to aggregate all the events brought us huge reductions, and also the drop functionality and some really advanced functionality within the Cribl tool itself.
What other advice do I have?
Based on my experience, the advice I would give to other companies considering Cribl is that your decision should be very specific to your use case but do not underestimate the amount of data you're dealing with. Data will continue to grow over time, and a tool like Cribl can significantly help reduce costs before the data is sent downstream.
Another important consideration is whether you need to send data to multiple destinations. This was a challenge for us previously, and Cribl helped simplify that process. My advice to companies is: if you're drowning in data and cost, Cribl is essential. It gives you full control over your data and makes management much easier.
As an organization, we've adopted AI heavily and integrated it into many of the tools we use today. We're actively looking to bring similar capabilities into Cribl. It's already in our pipeline, and we see strong potential in using AI to streamline how we build Packs and Pipelines. With AI integrated, we believe it could significantly reduce the time admins spend building specific pipelines for various data sources.
On a scale of one to ten, I would rate Cribl a solid nine based on what we use it for today and the value it delivers.
Which deployment model are you using for this solution?
Reduces ingest costs and improves data relevance in security operations
What is our primary use case?
Our main use case for Cribl was primarily data reduction, as we were spending a lot of money on data ingest, and we brought Cribl on board to reduce the amount of money we were spending on that ingest.
Reduction in firewall logs was our primary use case for Cribl, as 80% of our data is Palo Alto firewall logs, and a lot of it we don't necessarily need in the SIEM tool, so we use Cribl to reduce that, keep only the stuff we want, drop the rest, and keep it out of the SIEM tool. The reduction in firewall logs keeps the unwanted data out so that when the security engineers are inside the SIEM tool, they only see the stuff they need to see.
What is most valuable?
The features of Cribl that I appreciate the most are the vendor agnosticism and the ability to send data almost anywhere you want, regardless of the data type, the format, or the destination; it's very flexible, and we've been able to integrate it with the tools that we have used in the past and are planning to use in the future.
The UI is very clean and super intuitive, making it very easy to bring data on via the sources, route the data to any number of destinations that you want, and create pipelines to transform and morph that data however you want.
Cribl is great in the sense that it can handle a large amount of volume and scales with the amount of data that you want to bring on board; if you need to bring on board more data, you just increase the amount of workers that you have.
We use Cribl to reduce data cost and complexity by both dropping fields that we don't want or parts of events that we don't want while keeping the things we do want, while also keeping all of the data, the event in its full form. We're a government agency, so we ned to keep everything. With Cribl, we can have our cake and eat it too, in a sense.
What needs improvement?
I'm an engineer, so I think about logging. Improvement could be made in the logging area, as sometimes we encounter issues in a pipeline or something, and it's not immediately obvious when you look at the logs that the pipeline is failing.
For how long have I used the solution?
I've been using Cribl for around four years.
What do I think about the stability of the solution?
I would give Cribl a great rating on stability and reliability, especially if you use the built-in alerting engine that they have, as you can get alerts directly if there are any problems with the worker itself or worker processes, and the built-in monitoring page makes it super easy to monitor the health of all your worker processes.
What do I think about the scalability of the solution?
Cribl scales great with our company as we're actually bringing on a lot more data with all the AI tools rolling out, which generate a lot of logs, and Cribl scales horizontally by just adding more workers and worker processes, allowing us to tackle that data smoothly, quickly, and efficiently.
How are customer service and support?
We've had a great experience with Cribl customer service, as we have dedicated PS resources that have been super helpful when we were rolling out Cribl initially, migrating sources of data from syslog over to Cribl, routing, and parsing, with the support being A+ on both the PS side and the technical support side.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Cribl is really the only tool out there that does what it does, especially when looking at Splunk, as when Cribl first came out, Splunk wasn't able to intuitively do a lot of the things that Cribl did just out of the box with a GUI, making it super easy.
We were dabbling in data reduction, transformation using Splunk's Universal Forwarder and even the Heavy Forwarder in some instances, but it was just not as intuitive, with a lot of command line interaction and no GUI on the front end, making it harder to do, while Cribl makes it super easy.
How was the initial setup?
When we deployed Cribl, we were on-prem. All of our workers are on-prem. Our leaders are on-prem. Nothing's in the cloud. The major challenges that we faced really were related to the load balancer that needs to sit in front of the workers. I would like to maybe see that rolled up into Cribl in the future. That posed a lot of challenges for us just coordinating with our infrastructure team, getting the F5 engineers involved, using F5 load balancer. That was a challenge for us. We ultimately tackled it, however.
What was our ROI?
From my point of view, the biggest return on investment is just the downstream licensing costs we save on the SIEM side; we've reduced our data by a certain amount, and it has almost paid for Cribl itself and also allowed us to chop some licensing off of the SIEM side. We've reduced our amount of ingest by about 40% overall.
What's my experience with pricing, setup cost, and licensing?
I'm not really involved in the pricing and payment aspect of Cribl. I'm just the guy who implements it all once it's bought and paid for.
What other advice do I have?
We're not using Cribl Search at the moment; we're only using Stream and Edge.
If you're a company out there considering Cribl, I would highly recommend at least giving it due diligence; get linked up with the sales rep, as they're going to explain everything to you, and the sales engineers are great and very knowledgeable, making it worth your time and money, so you're going to be glad you did.
I rate Cribl nine out of ten.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Simplifies data processing and reduces ingest costs through real-time transformation
What is our primary use case?
Our main use case for Cribl is primarily taking data from all of our different data sources, doing some processing, field extractions, normalizing the data, and then sending it along to our SIM for security incident response and investigation.
What is most valuable?
My favorite feature of Cribl is just how easy it makes working with the data; it's always been a pain point for us with other solutions, just taking our raw data from the source, transforming and manipulating it into what we need on the SIM side. That's always been a pretty heavy lift, however, Cribl has made that much easier.
The tools built into the platform allow us to work with the data, see the results in real-time, see what the output's going to look before we commit it, and has really made our job in that respect a lot easier.
The Cribl UI is very simple and easy to use, particularly when working with data from various sources; it makes it very easy to create pipelines, add complex logic to those pipelines, and then gives you a preview of what your data looks like before applying that pipeline and what you get after.
As we're bringing data in and Cribl's processing it, it makes it very easy to identify subsets of data or certain events that source data that maybe are less useful or just noisy, not really applicable to to what we need what our security team needs, and we're able to just drop those events before they get sent out and and ingested by our SIEM. So that helps keep our data pipeline streamlined, keeps our output clean. It filters out noise, and then it makes our analysis more efficient. That reduces the data volume going into our SIMs, and that reduces and limits the ingest costs associated with that end. With less data, there's less to process when you're running complex searches. So we have charges against those compute resources reduced.
What needs improvement?
There are opportunities for AI to be incorporated more tightly into Cribl to help build out those pipelines and apply some more complex logic to those transformations could be useful.
Optimizing CPU utilization on the edge side is something that could be improved; we see, particularly on older hardware and older OSes, Cribl Edge service can eat up quite a bit of CPU resources compared to some other products we've used in the past, indicating there's room for improvement.
For how long have I used the solution?
We've been using Cribl for about one year.
What do I think about the stability of the solution?
We have run into a few performance issues and system crashes, mainly due to administrator error; building inefficient pipelines ended up utilizing or over-consuming CPU resources on the worker server, causing some outages. We've worked with Cribl support to resolve those issues, and it's been pretty stable recently.
As we've only been using Cribl for about a year now, I view many of those issues as part of learning the product and becoming better stewards of the system.
What do I think about the scalability of the solution?
We've only been using Cribl for about a year, so we haven't really seen much expansion and are still in a holding pattern. However, leveraging cloud resources does provide the ability to scale; we can provision additional servers on-prem to handle more data load as we scale up and bring on more resources, so I'm confident we'll be able to meet our future demands.
How are customer service and support?
When we've had issues with Cribl, the support we've received has been fantastic; they've been very responsive.
Our account team has stayed on top of the issues we've submitted, and all of the technicians we've worked with have been very knowledgeable, so we've been very happy with Cribl support overall.
On a scale of one to ten, I would give customer service a nine; I'm hesitant to say ten out of principle. There's always room for improvement.
The technicians we've been paired with on the cases we've submitted have all been knowledgeable and responsive. Our account team has been great, and when we've raised questions or concerns, they're quick to provide assistance.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Our primary driver behind implementing Cribl was the need to normalize our data with our existing SIM solution at the time; we had numerous problems making it easily searchable and analyzable. With our previous solution, we easily onboard new data sources, however, as we did that, we weren't necessarily taking the time to properly extract the fields out of that data that we needed.
Consequently, we ended up with a lot of data that was either not helpful or just not usable at all, which just consumed costs and space. Cribl addresses this by allowing us to easily create those pipelines and manipulate the data so that we could reduce the amount of information that we're ingesting that was not useful.
How was the initial setup?
Overall, the deployment of Cribl was very easy. We did not really run into too many challenges at all.
We deployed a hybrid architecture, so we primarily leverage the Cribl cloud. We also have some on-premises workers who we have connected to the cloud. It's a cloud-connected, yet independent leader and has worker nodes for processing edge data from offline edge nodes. So those systems are in secure VLANs and don't have outbound internet access. We're able to stand up an on-premises infrastructure that is still cloud-connected, that's part of our overall environment, and can capture that data and send it along to our system. So overall, we really did not have any challenges standing up the infrastructure. It's been very easy to stand up and maintain.
What was our ROI?
The return on investment for Cribl is that we've seen it really pay for itself.
When we recently went through a SIM migration from Splunk to Microsoft Sentinel, we incorporated Cribl to help us reduce our ingest costs. What we've seen is really an overall reduction of just shy of 40% in our ingest into our SIM platform versus prior to having Cribl, and those ingest costs have basically canceled out the pricing of Cribl licensing for us based on the volume of data that we have.
Which other solutions did I evaluate?
I don't recall considering other similar solutions to Cribl. Cribl was the frontrunner on that one. We did a proof of concept early on and immediately saw how easy it was to work with the data and recognized the value it could bring, leading us to move forward with it.
What other advice do I have?
I would advise other companies considering Cribl to just do it; it's worth it, as there's really little to no downside. It just makes your life easier.
On a scale of one to ten, I would rate Cribl a nine, as it brings tremendous value.
As a small security team, it really empowers us to get more useful data out of our sources, making our SOC and incident response teams more efficient and improving the overall security posture of our organization as we now have accurate, usable, easily analyzed data.
Which deployment model are you using for this solution?
Management of thousands of agents is simpler while reducing data volume significantly
What is our primary use case?
Security data is my main use case for Cribl. I ingest data using Cribl Edge and then process the data using Cribl Stream to reduce the amount of volume of the data collected for use in other platforms.
How has it helped my organization?
The Cribl Edge features that are easier to use or to manage help me to reduce the amount of people I need to help manage the product.
As part of Stream, reducing the amount of volume provides a financial benefit to allow us to pay less for the other products that we are using the data in down the data path or stream.
What is most valuable?
The ease of management and configuration of Cribl Edge features is highly beneficial. I have many thousands of Cribl Edge nodes deployed, and it's very easy to make configuration changes across the board or update the agent. 
It can contain data cost and complexity. In terms of data complexity and cost, Cribl does a good job at providing solutions that will compress the data while retaining its usable form, or split the data in such that you can retain its original form and send a reduced form to your end destination. In terms of reducing the amount of logs with Cribl for firewall specifically, I am able to reduce the size and reformat the logs so that they are better able to be used downstream.
Cribl has influenced the data processing workflow by allowing us to be platform-agnostic, and being able to separate the data into different destinations is quite easy.
The Cribl UI in general is very intuitive in how to manage log processing and configurations. Customer service and support deserves an 8.5 rating. They are really good at what they do, and you can tell that they are passionate about their product and helping customers have success.
What needs improvement?
Cribl could be improved by some UI tweaks and some usability tweaks, mostly centered around error troubleshooting for large volumes of Edge nodes.
I have talked to the developers of the Cribl Edge software and they're very open and welcoming to the feedback and are looking to implement changes to help make the product better.
For how long have I used the solution?
I have been using Cribl for a few months since July of 2025.
What do I think about the stability of the solution?
Cribl is overall a very reliable product and solution. The few times that I've had any reliability issues, they were quick to help me identify and proactive in helping me identify potential issues in the platform.
What do I think about the scalability of the solution?
We have over 10,000 employees.
Cribl does a good job of handling large volumes of data very quickly. The Cribl Cloud that we have deployed allows for easy scaling to meet the needs of onboarding tens of thousands of Cribl Edge devices in a single day in some cases. Cribl makes scaling for Edge or Cribl Cloud data nodes very easy to add or replace Cribl worker nodes and allows you to, with one click, reconfigure Cribl Cloud workers to be able to ingest higher volumes of data.
How are customer service and support?
Cribl technical support and customer service has been great so far. I really appreciate having a direct line to my Cribl SE or many different Cribl private resources via their Slack channel.
It is a really easy way to quickly get an answer on something rather than having to put in a support ticket, however, support tickets are also fairly straightforward and easy to use.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I did not use other solutions before Cribl that do the same thing as Cribl does.
How was the initial setup?
My experience for deploying Cribl was pretty easy. We have Cribl Cloud, and they make that a very simple solution to stand up. And for the on-prem resources that we have for Cribl workers, those were also easy to stand up and get connected to the cloud. So, overall, it's very easy to deploy the platform and to get it to configure.
What was our ROI?
The biggest return on investment is probably the log reduction capabilities while retaining the essential information from the logs. In some cases, greater than 80% reduction is achievable. Across thousands of endpoints, it really adds up quickly.
What's my experience with pricing, setup cost, and licensing?
The pricing for Cribl was fairly straightforward. They have a universal license that allows us to consume the portions of Cribl that we want to use or flex into other portions of Cribl. We primarily use Cribl Edge and Cribl Stream at this point, but we could also use the same license for Cribl Lake or Cribl Search.
Which other solutions did I evaluate?
I did not consider other solutions in my company before choosing Cribl.
What other advice do I have?
I've worked in information security for over ten years. 
With any SaaS solution, it's sometimes a difficult decision to decide to do on-premises versus a SaaS solution for on-cloud. I would recommend Cribl on Cloud for its ease of use and manageability. The managed updates are very nice and they have a proactive services team that helps monitor the infrastructure.
Overall, I would rate Cribl nine out of ten. While there are some shortcomings, the direct feedback loop they give to customers makes it a really good product overall.
