Skip to main content

Cribl LogStream integration

You can configure Cribl LogStream to send webhook notifications to Moogsoft Cloud using custom integrations. A custom integration is a user-defined Moogsoft endpoint that ingests JSON payloads and converts them to Moogsoft events or metrics. You can define your own mappings for each endpoint based on the payloads you want to send. See Create Your Own Integration.

This integration was validated with Cribl Logstream on December 8, 2021.

Note the following:

  • A Moogsoft custom integration can ingest either events or metrics. Each custom integration has its own separate API key and Cribl-to-Moogsoft Cloud mappings.

  • There is no limit to the number of custom integrations you can create.

  • The following sections provide simple event and metric mappings as examples. The specific mappings you want to define depend on the data you want to send.

Create the Moogsoft Cloud custom integration

  1. Log in to your Moogsoft Cloud SaaS instance as an Owner or Administrator.

  2. Choose Integrations > Ingestion Services > Create Your Own Integration.

  3. Click Add New Integration and specify the following:

    1. An integration endpoint and description.

    2. The data type to send to the endpoint: Events or Metrics.

The integration setup screen appears with the URL and API key for the new endpoint.

cribl-setup-1

Configure the webhook destination in LogStream

  1. From the top nav of a LogStream instance or Group, select Destinations, then select Webhook from the Data Destinations page's tiles or the Destinations left nav. Click + Add New to open the Webhook > New Destination modal.

  2. In the Configure > General Settings tab, enter or select the following values:

    • URL: The URL for the new custom integration (copy this from the Moogsoft Cloud UI).

    • Method: POST

    • Format: Custom

    • Content type: application/json

  3. In the Configure > Advanced Settings tab, go to Extra HTTP Headers and add the following:

    • Name = apiKey

    • Value = The API key for the new custom integration (copy this from the Moogsoft Cloud UI).

    • Click Save, then Commit & Deploy.

Map Cribl data to Moogsoft Cloud

The following sections provide simple examples of mapping a Cribl payload to a Moogsoft Cloud custom integration. Your mappings will differ depending on the data you want to send. However, the following principles apply to all custom mappings:

  • Moogsoft Cloud has a defined event schema and metric schema. Each schema includes a set of required fields. Your custom integration must include mappings for all required fields.

  • You can define custom tags for Cribl fields that do not have Moogsoft Cloud equivalents.

  • You can also specify default values in case Cribl sends an object with a missing field.

  • The Moogsoft Cloud event schema includes a severity field. You can map Cribl fields and values to Moogsoft Cloud severities or define a default severity if a payload does not include this information.

Define and validate your event or metric mappings as follows.

Event mapping

The following procedure uses Cribl syslog messages to illustrate how to map Cribl payloads to Moogsoft events. The following steps outline the workflow:

  1. Send a sample payload to Moogsoft Cloud.

    In Cribl, open the config screen for the webhook destination and do the following:

    1. Go to the Test tab.

    2. In the Test Input field, define one or more JSON payloads for the Cribl data you want to send. To map syslog events, select syslog.log in the Select Sample pull-down.

    3. Click Test.

  2. Map the event fields.

    Go to the Moogsoft Cloud config screen for the custom integration. Under Map Your Data, you should now see the payload you just sent.

    cribl-setup-2

    Select the payload and then define your Cribl-to-Moogsoft Cloud mappings. Your Cribl data will largely determine the mappings you want. See Events Object in the Moogsoft Cloud API docs.

    Here are some reasonable mappings for the syslog payload in this example.

    Cribl source fields

    Moogsoft Cloud target field

    host

    source

    message

    description

    appname

    service

    facilityName

    check

    severity, severityName

    severity

    procid

    tag.process-id

  3. Map the severities.

    The Moogsoft Cloud event schema has a severity field. You can specify integers or strings, from 0 (“clear”) to 5 (“critical”). Here are some reasonable mappings.

    Syslog severities

    Moogsoft Cloud severities

    0, 1, 2, “emergency”, “alert”, “critical”

    Critical (5)

    3, “error”

    Major (4)

    4, “warning”

    Warning (2)

    6, 7, “informational”, “debug”

    Unknown (1)

    5, “notice”

    Clear (0)

  4. Verify your mappings.

    Once you save and apply your mappings in Moogsoft Cloud, do the following:

    1. Cribl — Return to the Test tab for the webhook destination. Click Test again to send another payload.

    2. Moogsoft Cloud — Go to the Alerts screen. You should now see a new alert based on the payload you just sent.

Metric mapping

The following procedure uses Cribl syslog messages to illustrate how to map Cribl payloads to Moogsoft Cloud events. The following steps outline the workflow:

  1. Send a sample payload to Moogsoft Cloud.

    In Cribl, open the config screen for the webhook destination and do the following:

    1. Go to the Test tab.

    2. In the Test Input field, define one or more JSON payloads for the Cribl data you want to send. To map syslog events, select appscope-metrics.log in the Select Sample pull-down.

    3. Click Test.

  2. Map the metric fields.

    Go to the Moogsoft Cloud config screen for the custom integration. Under Map Your Data, you should now see the payload you just sent.

    cribl-setup-3

    Select the payload and then define the Cribl-to-Moogsoft Cloud mappings you want. Your Cribl data will largely determine your mappings. See Metric Datum Object in the Moogsoft Cloud API docs.

    Here are some reasonable mappings for the AppScope payload you just sent.

    Cribl source fields

    Moogsoft target field

    _metric

    metric

    _value

    data

    host

    source

    unit

    tag.unit

    pid

    tag.pid

  3. Verify your mappings.

    Once you save and apply your mappings in Moogsoft Cloud, do the following:

    1. Cribl — Return to the Test tab for the webhook destination. Click Test again to send another payload.

    2. Moogsoft Cloud — Go to the Metrics screen. You should now see a new alert based on the payload you just sent.