Cribl Admin CCOE Flashcards

Question 1

Q

Which of the following is a valid JavaScript method?

Answer

A

.startswith
.endswith
.match

Question 2

Q

Which of the following logical operator are used as an “and” operator?

Question 3

Q

Value Expressions can be used in the following locations

Answer

A

Capture Screen and Routes Filtering Screen
Routes Filtering Screen and Pipeline Filtering
Pipeline Filtering and Capture Screen
None of the above! is the correct answer

Question 4

Q

Value Expressions are used to evaluate true or false.

Question 5

Q

Which of the following logical operator are used as an “not” operator?

Question 6

Q

Git

What command shows you the files that have changed, been added, or are tracked?

Question 7

Q

What order must you use to add a new file to a remote repository?

Answer

A

add, commit, push

Question 8

Q

Which command allows you to see a history or commits?

Question 9

Q

Which command allows you to add a file to the respository?

Question 10

Q

Worker Process

Answer

A

A process within a Single Instance, or within Worker Nodes, that handles data inputs, processing, and output. Worker Processess operate in parallel. Each Worker Process will maintain and manage its own outputs.

Question 11

Q

Worker Node

Answer

A

An instance running as a managed worker, whose configuration is fully managed by the Leader Node

Question 12

Q

Worker Group

Answer

A

A collection of Worker Nodes that share the same configuration

Question 13

Q

Leader Node

Answer

A

an instance running in Leader mode, used to centrally author configurations, and monitor a distributed deployment

Question 14

Q

Mapping Ruleset

Answer

A

an ordered list of Filters, used to map Workers to Worker Groups

Question 15

Q

Which of the following is not a Worker responsibility?

Answer

A

Back up to Git (local only)

Question 16

Q

Which of the following is not an advantage of a Distributed deployment over a single instance?

Answer

A

Advanced data processing capabilities
Advantages include - Higher reliability, unlimited scalability

Question 17

Q

Load Balancing among the Worker Processes is done the following way:

Answer

A

The first connection will go to a random Worker Process, and the remaining connection will go in increasing order to the following Worker Processes.

Question 18

Q

All Cribl Stream deployments are based on a shared-nothing architecture pattern, where instances/Nodes and their Worker Processes operate separately

Question 19

Q

The Single Stream instance is valid for dev, QA or testing environments

Question 20

Q

In Distributed Mode, the Worker Node…

Answer

A

is Stateless
Can continue running even without communication to the Leader with limitations
Can be accessed from inside the Leader
The main path between Sources and Destinations

Question 21

Q

Which of the following is true regarding Worker and Leader communication?

Answer

A

Worker initiates the communication between Leader and Workers

Question 22

Q

Worker processes within a Node are distributed using a round robin process based on connections

Question 23

Q

Which of the following are valid Stream deployment options?

Answer

A

Single Instance (software loaded on single host)
Distributed Deployment (Leader and Workers)
Stream deployed in Cribl’s cloud (SaaS)
Stream deployed in customers own cloud instance

Question 24

Q

Worker Group to Worker Group communication is best done by using…

Answer

A

Stream TCP
and
Stream HTTP

Question 25

Q

Cribl.Cloud advantages

Answer

A

Simplified administration
Simplified distributed architecture
Git preconfigured
Automatic restarts and upgrades
Simplified access management and security
Transparent licensing

Question 26

Q

Cribl.Cloud does not provide TLS encryptionon any Sources

Question 27

Q

Cribl.Cloud allows for Stream to Stream communication from Cloud Worker Groups to on-prem Worker Groups

Question 28

Q

Cribl.Cloud allows for restricted access to certain IP adresses

Question 29

Q

When using Stream in Cribl.Cloud, how do you get data into the cloud?

Answer

A

Using common data sources that are pre-configured (TCP, Splunk, Elastic, etc)
Using ports 200000-200100 that are available to receive data

Question 30

Q

Cribl.Cloud has preconfigured ports you can use to bring in data

Question 31

Q

Which of the following is not valid for a Cribl.Cloud deployment?

Answer

A

Single Stream instance
Distributed Stream instance with Leader on-prem & workers in the Cribl.Cloud

Question 32

Q

Which of the following are benefits when using Cribl.Cloud?

Answer

A

Simplified administration
Git preconfigured
Automatic upgrades

Question 33

Q

Cribl.Cloud cannot integratte with an on-prem Cribl Worker Group

Question 34

Q

Cribl.Cloud allowed ports include

Answer

A

20000-20010

Question 35

Q

Cribl.Cloud does not provide any predefined sources

Question 36

Q

What affects performance/sizing?

Answer

A

Event Breaker Rulesets
Number of Routes
Number of Pipelines
Number of Clones
Health of Destinations
Persistent Queueing

Question 37

Q

Estimating Deployment Requirements

Answer

A

Allocate 1 physical core for each 400GB/day of IN & OUT throughput
100GB in -> 100GB out to 3 destinations=400GB total. 400GB/400GB=1 physical core

Question 38

Q

Which of the following will impact your choice for amount of RAM?

Answer

A

Persistent Queueing requirements

Question 39

Q

Cribl Worker Process default memory is

Question 40

Q

How many Worker Nodes, each with 16vCPU is needed to Ingest 10TB and Send out 20TB?

Answer

A

11 Worker Nodes

Question 41

Q

Cribl recommends you use the following specifications?

Answer

A

16vCPU per Worker Node

Question 42

Q

How can a Stream deployment be scaled to support high data and processing loads?

Answer

A

Scale up with higher system performance (CPU, Ram, Disk) on a single platform
Scale out with additional platforms
Add more worker groups

Question 43

Q

With a very large # of sources (UFs), it is possible to exhaust the available TCP ports on a single platform

Question 44

Q

Leaders require higher system requirements than workers

Question 45

Q

Persistent Queueing (Source & Destination) might impact performance

Question 46

Q

Cribl scales best using…

Answer

A

Many medium size Worker nodes

Question 47

Q

Remote Repository Recovery - Overview

Answer

A

System Down
Install Git on Backup Node
Recover configuration from remote repository
Restart Leader Node
Back Operational :)

Question 48

Q

Setting up and Connecting to Git Hub

Answer

A

Set up GitHub
Create an empty crypto repository
Generate keys to connect Stream to GitHub (Public key>GitHub/Private Key>Stream)
Configure Stream UI to connect to Remote Git
Once connected, each time a change is made to local to sync with the remote repository

Question 49

Q

When using this commandto generate SSH Public and Private keys: ssh-keygen -ted25519 -C “your_email@example.com”, which file contains the public key

Answer

A

id_ed25519.pub

Question 50

Q

A remote repository on GitHub is a mandatory requirement when installing Cribl Stream

Question 51

Q

A Remote Git instances is

Answer

A

Optional for all Stream Deployments

Question 52

Q

What are the methods to backup Cribl Leader Node?

Answer

A

Rsync
Tar / untar
Copy configuration files to S3, rehydrate configuration files from S3

Question 53

Q

Git and Git Hub provides backup and rollback of Cribl Stream configurations

Question 54

Q

Cribl Stream fault tolerance requires the use of a remote Git repository

Question 55

Q

What is a true statement about GitHub acounts?

Answer

A

Requires manual configuration outside of Cribl Stream configuration

Question 56

Q

Stream disaster recovery requires a dedicated standby backup Leader

Question 57

Q

Which Git commands are part of the recovery steps?

Answer

A

Git init
Git fetch origin

Question 58

Q

What is the purpose of using Git?

Answer

A

To provide a backup of configuration files
To provide a history of changes within Stream

Question 59

Q

./cribl help -a

Answer

A

Displays a list of all the available commands

Question 60

Q

Common Cribl Stream commands

Answer

A

./cribl start
./cribl stop
./cribl restart
./cribl status (shows Stream status)
./cribl diag (manages diagnostic bundles)

Question 61

Q

Cribl Stream CLI

Answer

A

CLI gives you the ability to run commands without needed access to the GUI
Helps in creating automated scripts if needed
Gives you the ability to run diagnostics and send them to Cribl Support

Question 62

Q

What command is used to configure Cribl Stream to start at boot time?

Answer

A

boot-start

Question 63

Q

What format are the diag files in?

Question 64

Q

What does the command ‘cribl diag’ create command do?

Answer

A

Creates a gzip file with configuration information and system state

Answer 41

A

./cribl mode-master

Answer 42

A

systemctl start cribl

Answer 43

A

Files in the local directory
Log files
State of the system
Details about the system running Stream

Answer 44

A

Sources will have a red status on Leader until they are deployed to a worker group. Status can still be red if there are binding issues

Answer 45

A

Make sure JavaScript filter set for the live capture is correct. If no data is returned, the problem is likely with the network or further upstream

Answer 46

A

Ping the server?
Using nc or telnet command, test the connection source

Answer 47

A

Check by going to the Destination in Monitoring>Destinations and clicking on Status.
If the Source is connected via a Route to a Destination that is triggering backpressure, set to Block to stop sending data.

Answer 48

A

Typos? Proper authentication?

Answer 49

A

Stream can accept data pushed to it, or pull data via API calls
Open protocols, as well as select proprietary products, are supported
Pulling data falls into two categories
* Scheduled pulls for recurring data (think tailing a file)
* Collector jobs intended for ad hoc runs as in Replay scenario
Push Sources push to us such as Splunk, TCP
Internal sources are internal to us such as Datagens or Internal logs/metrics
Low-code interface eases management
Capture sample data at any stage to validate and test

Answer 50

A

Stream can process a syslog stream directly
Moving to Cribl Stream from existing syslog-ng or rsyslog servers fully replaces those solutions with one that is fully supported and easily managed
Optimze syslog events
Syslog data is best collected closest to the source
Use a load balancer to distribute load across multiple worker nodes
Reduce management conplexity while ensuring reliable and secure delivery of Syslog data to chosen systems

Answer 51

A

Beats are open-source data shippers that act as agents. Most popular with Cribl customers:
Filebeat - filebeat.yml
Winlogbeat - Winlogbeat.yml

Answer 52

A

Proxy URL

Answer 53

A

Having the collector stuck in a forever running state

Answer 54

A

Elastic Beats
Splunk Forwarder

Answer 55

A

‘setup.ilm.enabled: false’

Answer 56

A

Any destination

Answer 57

A

Both UDP and TCP traffic on Port 9514

Answer 58

A

Stream Collectors are a special group of inputs that are designed to ingest data intermittently rather than continuously.
Collectors can be scheduled or run ad-hoc
Cribl Stream Collectors supports the following data types

Answer 59

A

Azure Blob
Google Cloud Storage
REST
S3
Splunk Search
Health Check
Database
File System
Script

Answer 60

A

-Prepares the infrastructure to execute a collection job
-Discovers the data to be fetched
-Fetches the data that match the run filter
-Passes the results either through the Routes or into a specific Pipeline

Answer 61

A

-The Worker Node execute the tasks to its entirety
-The Leader Node oversees the task distribution and tries to maintain a fair balance across jobs
-Cribl Stream uses “Least-In-Flight Scheduling”
-Because the Leader manages Collectors’ state, if the Leader instance fails, the Collection jobs will fail as well.\

Answer 62

A

A Worker Node can have multiple worker processes running to collect data.
Since the data is spread across multiple worker processes, an alternative like Redis is required to perform stateful suppression and stateful aggregation

Answer 63

A

Discovers what data is available based on the collection settings

Answer 64

A

Collects the data based on the settings of the discovery phase

Answer 65

A

Multiple processes that process data independently

Answer 66

A

The Leader Node sends work to Workers based on previous distributions of work.

Answer 67

A

Scheduled or AdHoc

Answer 68

A

S3 Collector
and
REST Collector

Answer 69

A

Accept events in real time

Answer 70

A

accept events in groups or batches

Answer 71

A

For each destination type, you can create multiple definitions, depending on your requirements. Definitions include Block, Drop, Queue

Answer 72

A

Not all data is of equal value. High volume low value data can be sent to less expensive destinations

Answer 73

A

Simplify data analytics tools migration
Store everything you may need in the future, analyze only what you need now

Answer 74

A

Data collected once can be sent to multiple destinations without extra operations cost to run new agents

Answer 75

A

Quick time to value
Operations cost reduction

Answer 76

A

Reduce troubleshooting effort

Answer 77

A

Minimize data loss
Eliminate/minimize the need to introduce separate buffering/queueing tools

Answer 78

A

Splunk Single Instance - Stream data to a single Splunk instance
Splunk Load Balanced - Load balance the data it streams to multiple Splunk receivers (indexers)
Splunk HEC - Can stream data to a Splunk HEC (HTTP Event Collector) receive through an event endpoint

Answer 79

A

Multi-metrics is data sent in JSON format which allows for each JSON object to contain measurements for multiple metrics.
Takes up less space and improves search performance

Answer 80

A

Adjust timeout settings for slow connections. Increase request concurrenct based on HEC receivers

Answer 81

A

-Everything that is in _raw is viewable as event content
-outside of _raw is metadata which can be searched with tstats or by including :: instead of =
-Fields outside of _raw are viewe when event is expanded
-If events do not have a _raw field, they’ll be serialized to JSON prior to sending to Splunk

Answer 82

A

-Cribl Stream can send data to Splunk using a variety of different options
-Data can be sent securely over TLS
-Enabling multi-metrics can save space and perform better

Answer 83

A

Bulk API - Performs multiple indexing or delete operations in a single API call

Answer 84

A

Put all fields outside of _raw. use JSON

Answer 85

A

Create a policy > an index templatw
Each data stream’s index template must include name or wildcard pattern, data stream’s timestamo field, and mappings and settings applied to each
Source for data stream
Destination for data stream
Support for ILM

Answer 86

A

-Route data from multiple existing data sources or agents
-Migrate data from older versions
-Optimize data streams and send data in the right form to Elastic

Answer 87

A

Step 1: Configure Splunk Forwarder
Step 2: Configure Splunk Source in Stream
Step 3: Configure Elasticsearch Destination
Step 4: Configure Pipeline (regex extract function, lookup function, GeoIP function)
Step 5: Results

Answer 88

A

Stream does NOT have to run on AWS to deliver data to S3

Answer 89

A

Defines how files are partitioned and organized - Default is date-based

Answer 90

A

The output filename prefix - Defaults to CriblOut
Use only with low cardinality partitions and understand impact to open files & AWS API

Answer 91

A

=Max Unique Values
Number of Staging Sub-directories or S3 Bucket prefixes

Answer 92

A

When writing to S3 - too many open files and directories on worker nodes
When reading from S3 - Less chance of hitting S3 read API limits

Answer 93

A

When writing to S3 - bigger files written to fewer directories in S3
When reading from S3 - Less filtering ability during replays, more data downloaded so larger data access charges, larger changer of hitting S3 read API limit

Answer 94

A

Plan for cardinality of no more than 2000 / partition expression

Answer 95

A

Sending data from Stream Worker to Stream Worker, not Worker to Leader

Answer 96

A

Receive data from Worker Groups or Edge Nodes
Common for Customer-managed (on-prem) Worker sends data to a Worker in Cribl.Cloud
Internal Cribl Sources treat internal fields differently than other Sources

Answer 97

A

Enables Edge nodes, and/or Cribl Stream instances, to send data to one or multiple Cribl Stream instances
Internal fields loopback to Sources

Answer 98

A

-For maximum compression, it is best to change the data to JSON format
-Internal Cribl Destinations must be on a Worker Node that is connected to the same leader as the internal Cribl Source
-For minimum data transfer, process data on source workers instead of destination workers
-For heavy processing, process data on destination workers

Answer 99

A

Can negatively impact both read and write API count
Can dramatically increase number of open files
Generally avoid unless you’ve done your due diligence and have low cardinality partition expressions
All of the above

Answer 100

A

Compress data and reducing bandwidth
Reducing Cloud provider egress costs

Answer 101

A

Destination workers

Answer 102

A

Output router
Parquet Formation

Answer 103

A

Capturing data from overseas sources that is destined to local destinations
Reducing the number of TCP connections to a destination
Capturing data from a cloud provider and shipping it to an on-prem destination to avoid engress costs
all of the above

Answer 104

A

Cardinality of partition and file name expressions
Max open files on system

Answer 105

A

Less processing, smaller events, no metadata

Answer 106

A

-Allow you to use filters to send data through different pipelines.
-Filtering capabilities via JavaScript expression and more control
-Data Cloning allows events to go to subsequent route(s)
-Data Cloning can be disabled with a switch toggle

Answer 107

A

-Enable expression > Toggle Yes
-Enter JavaScript expresion that Stream will evaluate as the name of the Destination

Answer 108

A

Allows you to stop processing the data depending on the outcome. If an event matches the filter, and toggle is set to Yes, those events will not continue down to the next Route. Events that do not match that filter will continue down the Route

Answer 109

A

-Follow “Most Specific First” when using cloning
-Follow “Most General First” when not using cloning
-At the end of the route, you will see the “endRoute” bumper reminder

Answer 110

A

Route unreachable waarning indicator: “This route might be unreachable (blocked by a prior route), and might not receive data.
Occurs when matching all three conditions:
-Previous Route is enabled
-Previous Route is final
-Previous Route’s filter expression evaluates to true

Answer 111

A

Filter Early and Filter fast!
-you want to quickly filter out and data you do not want to process

Answer 112

A

-Certain JavaScript string operators run faster than others
-Each of these functions operates similarly to each other, but slighty different:
-indexof, includes and startswith use strings as their function parameter
-match, search, and test use regular expressions

Answer 113

A

Most General: If cloning is not needed at all (all Final toggles stay at default), then it makes sense to start with the broadest expression at the top, so as to consume as many events as early as possible

Most Specific: If cloning is needed on a narrow set of events, then it might make sense to do that upfront, and follow it with a Route that consumes those clones immiediately after

Object Storage (S3 buckets): Since most data going to object storage is data being cloned, it is best to put routes going to object storage at the top.

Filter on common fields. Filter on fields like inputid, and metadata fields, rather than _raw.includes

Answer 114

A

Navigate to the Source. Go to ‘Connected Destinations’. Click on ‘Routes’ to revert to using them instead of QuickConnect. Create 2 routes: one to replace the old QuickConnect that was deleted, and a new route with a filter to map to the events of interest.

Answer 115

A

Filter early and filter fast!

Answer 116

A

-Routes have drag and drop capabilities to connect to a source to a destination; QuickConnect doesn’t (FALSE)
-QuickConnect has advanced capabilities to assign for assigning pre-processing pipelines to a source and post-processing pipelines to a destinations (FALSE)
-QuickConnect does not allow mapping a Pack between sources and destinations (FALSE)
-Routes map to a filter; QuickConnect maps a source to a destinatiosn (TRUE!!!!)

Answer 117

A

-Stream Syslog Source receiving events from hundreds of device types and applications (NOOOOOOOO)
-Stream Splunk Source receiving events from Windows and Linux hosts with Splunk Universal Forwarders (NOOOOOO)
-REST API Collector polling Google APIs with JWT authentication (NOOOOOO)
-Palo Alto devices sending to a dedicated Stream Syslog Source mapping to a different port than other syslog events (YESSSSS)

Answer 118

A

Filter Expressions are used to decide what events to act upon in a Route or Function. Uses JavaScript language

Answer 119

A

typically used in Functions to assign a value. Uses JavaScript language

Answer 120

A

-Assigning a Value
-Evaluating to a Value
-Evaluating to true/false

Answer 121

A

Filter Expressions can be used in multiple places:
-Capture
-Routing
-Functions within Pipelines
-Monitoring Page

Answer 122

A

name.toLowerCase(): any uppercase characters in the field name get changed to lowercase
name.replace(“geoip_src_country”, “country”): This is useful when JSON objects have been flattened (as in this case)

Answer 123

A

Expression methods can help you to help determine true or false. Here is a list of commonly used methods:
.startswith: Returns true if a string start with the specified string
.endswith: Returns true if a string ends with the specified string
.includes: Returns true if a string contains the specified string
.match: Returns an array containing the results if the string matches with a regular expression
.indexOf: returns the position of the first occurrence of the substring

Answer 124

A

Cribl Expressions are native methods that can be invoked from any filter expression. All methods start with C.

Examples: C.Crypto or C.Decode

Answer 125

A

Test your expression against sample data
Test your expression against data you have collected
Test your expression against data to see if it returns true or false
Ensure your expresison is written correctly

Answer 126

A

”>”
“<”
“==”
“!==”

Answer 127

A

Functions within Pipelines
Routes
Monitoring Page
Capture Page

Answer 128

A

”==” checks that the value is equal but “===” checks that the value and type are equal

Answer 129

A

Pipelines are a set of functions that perform transformations, reduction, enrichment, etc.

Answer 130

A

-Can improve SIEMs or analytics platforms by ingesting better data
-Reduce costs by reducing the amount of data going into a SIEM
-Simplifies getting data in (GDI)

Answer 131

A

Elastic LogStash
Splunk props/transforms
Vector Programming

Answer 132

A

Pre-Processing - Normalize events from a Source
Processing - Primary pipeline for processing events
Post-Processing - Normalize events to a Destination

Answer 133

A

This type is applied at the source
Used when you want to normalize and correct all the data coming in
Examples:
-Syslog Pack pre-processing all syslog events coming from different vendors; specific product packs/pipelines can then be mapped to a route
-Microservices pack pre-shapes all k8s, docker, container processed logs
-Specific application pipeline/packs can then be mapped to routes

Answer 134

A

Most common use of pipelines
you can associate pipeline to routes using filters

Answer 135

A

Maps to Destinations
Universally post-shape data before it is routed
Examples:
-Convert all fields to JSON key value pairs prior to sending to Elastic
-Convert all logs to metrics prior to sending to Prometheus
-Ensure all Splunk destined events have the required index-time fields (index, source, sourcetype, host)

Answer 136

A

Name your pipeline and the route that attaches to it similarly
-Create different pipelines for different data sets. Creating one big pipeline can substaintially use more resources, become unmanagable, and look confusing and complicated.
-Filter early and filter fast!
-Do not reuse pipelines. Do not use the same pipeline for both pre-processing and post-processing. Can make it hard to identify a problem and where it stems from
-Capture sample events to test. Allows you to visualize the operation of the functions within a pipeline.
-Test! Use data set to test and validate your pipeline
-Use statistics. Use Basic Statistics to see how well your pipelines are working
-Pipeline Profiling - determine performance of a pipeline BEFORE it is in production

Answer 137

A

-Functions act on received events and transform the received data to a desired output.
-Stream ships with several functions that allow you to perform transformations, log to metrics, reduction, enrichment, etc.
-Some expressions use JavaScrip
-For some functions, knowning Regex will be required

Answer 138

A

Eval
Sampling
Parser
Aggregations
Lookup

Answer 139

A

Evaluate fields - Adds or removed fields from events
Keep and Remove Fields - Keep fields take precedence over remove fields

Answer 140

A

It extracts fields out of events, or can be used to manipluate or serialize events

Answer 141

A

Types
CSV - splits a field containing comma separated vvalues into fields
Delimited Values - Similar to CSV, but using any delimiter
Key=Value pairs - Walks through the field looking for key value pairs (key=value) and creates fields from them.
JSON Object - Parses out a full JSON object into fields
Extended Log Format - Parses a field containing an Apache Extended Log Format event into fields
Parses a field containing an Apache Common Log Format event into fields

Answer 142

A

Looks to enrich your events from other data sources. Performs look ups against fixed databased such as CSV,CSV.GZ
Theres three match modes: Exact, CIDR, regex
Three match types for CIDR and Regex: First Match, Most specific, All
GeoIP: Performs looks up against fixed databased like MMDB or Maxmind
DNS Lookup: Performs DNS queries and returns the results
Redis: Supports the entire REDIS command set

Answer 143

A

-Exact match will be case sensitive
-Results will be added as fields in the event
-Order your lookup from most specific to least
-Create efficient regex
-For DNS enrichment, use local caching DNS

Answer 144

A

allows you to apply statistical aggregation functions to the data to generate metrics for that data

Answer 145

A

which returns the average values of the parameter specified (for example, the parameter is a field that contains the number of bytes in, say a firewall transaction, avg will return the average number seen in the time window

Answer 146

A

Will similarly return the median (the “middle” number of the sorted values of the parameter within the time window)

Answer 147

A

each returns the minimum or maximum value, respectively, of the parameter within the time window

Answer 148

A

returns the specified percentile of the values of the specified parameter

Answer 149

A

returns the rate that the different values of the parameter occur at in the event window

Answer 150

A

Stream is a share nothing architecture.

Answer 151

A

duplicates events as they are passing through Stream

Answer 152

A

Mask/Replace/Redact patterns and events. helpful for masking personal information

Answer 153

A

Extract using regex named groups

Answer 154

A

Eval, parser, drop, aggregations, rename

Answer 155

A

Lookup, DNS lookup, GeoIP, Redis

Answer 156

A

Dynamic sampling, publish metrics, rollup Metrics

Answer 157

A

Chain, Clone, Code, Event Breaker, JSON Unroll, Tee, Trim timestampl, Unroll, XML Unroll

Answer 158

A

CEF serializer, flatten, serialize

Answer 159

A

-Use typeahead to get a list of functions you can use in JavaScript
-You can use tooltips to get help on most fields in the UI by clicking the question mark
-Add comments and descriptions to your functions in order to explain what is happening
-Function groups allows you to group a set of functions together
-Use the three dotes to access additional functions to a pipeline

Answer 160

A

CSV
delimited values
JSON Object
SQL (incorret, it cannot parser this)

Answer 161

A

Aggregations

Answer 162

A

Packs let you Pack up and share Stream configurations and workflows across Worker Groups, or across organizations

Answer 163

A

Packs contain everything between a Source and a Destination

Answer 164

A

Sources
Source Event Breakers
Collectors
Destinations
Knowledge Objects

Answer 165

A

Make them useful for the community. Include sample files and lookups to ensure the community can test your pack
Make them reusable. Make sure you include details on how to configure any relevant Sources and Destination

Answer 166

A

-start names with cc for community members. use all lower case letters. use dashes for separate words

Answer 167

A

-There is no concept of a Local directory inside the Data directory
-Changes to Pack will create a local copy of that change
-Local always wins over default
-Making changes to routes will create a local version of route.yml

Answer 168

A

-Never delete anything in the default folder
-If you delete items in default, they will reappear when you reload configs or restart the leader
-Workaround: Untar the pack in the CLI, carefully delete things and update the appropriate references in the files, tar up the contents of the Pack from within the pack folder

Answer 169

A

-Never modify Knowledge objects that ship with the pack
-If you modify any knowledge object that ships with the Pack, it will be overwritten. This includes lookups, etc.
-Workaround - create a new knowledge object, any new knowledge object will not be overwritten

Answer 170

A

-Pack was updated but you cannot see any new updates or new features
-since local has a higher preference, you will not see any of the new updates that are in the default
-Workaround: delete and install the new pack, import the updated pack, import the pacck with a new ID each time you install a PAck update, merge local changes from the older pack into the newer pack

Answer 171

A

-Do not delete routes in a pack
-you deleted all the routes in a pack and reinstalled the pack but the routes do not return
-Workaround: delete the pack, restart the leader, reinstall the pack again

Answer 172

A

-review the README to understand Pack updates
-Import the Pack with a separate/unique ID to see the new updates
-Exporting a Pack with the merge option selected will overwrite defaults and will merge any local changes
-The Cribl Knowledge Pack is a great way to learn more advanced functions in Stream

Answer 173

A

-import a file
-import from a URL
-import from Git
-import from https://packs.cribl.io

Answer 174

A

-Enable plug and play deployments for specific use cases
-Improve time to value by reducing hurdles and providing Cribl Stream users with out of the box pipelines
-Target users in medium/large deployments sharing configurations and content across multiple worker groups

Answer 175

A

Pre-built configuration blocks designed to simplify the deployment and use of Cribl Stream

Answer 176

A

-Cribl creates packs and makes them available for Cribl Stream users
-Partners and Users can create packs and make them available for Cribl Stream users
-Downloaded packs can be edited for specific needs and then shared
-ALL OF THE ABOVE IS CORRECT

Answer 177

A

Merge safe, Merge, and Default only

Answer 178

A

-Route data to cheap storage, Replay it back later
-Search and Replay only the data you need
-Send the Replayed data to any destination

Answer 179

A

Recommendation: Use Object Store
Cost: Object Store is 70-95% cheaper than alternatives
Metadata and searchability: Searching Object Store is a top choice for high volumes of data. Searching File storage is more appropriate for lower volumes of data.
Volume: For high volumes of data, object or block storage are best
Retrievability: Data is relatively retrievable from all three types of storage, though file and object storage are typically easier to access
Handling of metadata: typically, best served by object storage

Answer 180

A

Recommendation: Use dedicated Worker Group
No impact on Production Worker Nodes: Use dedicated Worker Group to process large amount of historical data and avoid impact on other workloads
Egress: Place the Worker Group in the same Cloud provider as the Object Store (S3) and Destination
Dynamic Scaling: If possible, use Dynamic Scaling, for example in Kubernetes

Answer 181

A

Recommendations: Partitining Expression on Destination should be the same as the Partitioning Expression on the Collector

Answer 182

A

Recommendation: Enable user friendly replays

Answer 183

A

Recommendation: Use Partitioning Expression in Search. Do not use content from within the events

Answer 184

A

Recommendation: Use a field to mark the data you want to Replay. Send Replayed data to any destination

Answer 185

A

Replay means jumping into critical logs, metrics and traces as far back in time as you want, and saying “let’s see that again.”
Keep more data for longer retention periods and pay a lot less
Replay data to any analytics tools for unexpected investigations
Improve the quality and speed of your analytics environment by saving older data somewhere else
Using Object Store (S3) is the most effective storage

Answer 186

A

-Reducing Analytics tool or SIEM spend
-Making data available for other soultions
-Replaying historical data for a threat hunting exercise
-Replaying debug logs for a troubleshooting event
Correct Answer is all of the above!

Answer 187

A

Use a unique Index name

Answer 188

A

Retrievability
Handling of metadata
Cost
NOT permissions

Answer 189

A

Partitioning Expression filtering
File name Expression filtering

Answer 190

A

-The edge is where we see the most data being generated
-Use data directly from the edge without having to move it

Answer 191

A

-Able to install on Docker, Kubernetes, Linux, and Windows Servers
-To install, go to Manage > Edge Nodes > Add/Update Edge Node
-Provides customizable scripts for each operating system

Answer 192

A

-Kubernetes Logs (collects container logs and system logs from containers on a Kubernetes Node)
-Kubernetes Events (collects cluster-level events from a Kubernetes Cluster
-Kubernetes Metrics (collects events periodically based on the status and configuration of the Kubernetes cluster)

Answer 193

A

-System Metrics (collects metrics data including messages from CPU, Memory, Network, and Disk)
-Journal Files (centralized location for all messages logged by different components in a systemd-enabled system)

Answer 194

A

-Windows Event Logs (collects standard event logs, including Application, Security, and System logs)
-Windows Metrics (collects metrics data from Windows hosts)

Answer 195

A

-Enable Edge Nodes to send data to peer Nodes connected to the same Leader
-Cribl HTTP (best suited for: Distributed deployments with multiple workers. Use of load balancers. Valuable in hybrid cloud deployments.)
-Cribl TCP (best suited for: medium size deployments. All on prem. Valuable in certain circumstances)

Answer 196

A

-HTTP/TCP Destination must be on Edge Node connected to the same Leader as HTTP/TCP Source
-Must specify same Leader Address on Edge Nodes that host Destination and Source
-To configure Leader Address via UI > log into Edge Node’s UI
-Destinations Cribl endpoint must point to peer Address and Port of Source
-When configuring hybrid workers, Edge Nodes that host Destination / Source must specify exact same Leader Address

Answer 197

A

1) Cribl Source to receive data from Edge Node
2) Configure Destination on Edge to send data to Stream
3) Configure Route to send your data to Stream

Answer 198

A

-Deploy to a variety of machines using provided scripts (ability to deploy to a wide variety of systems including Linux servers, Windows servers, Docker containers and Kubernetes)
-Capture sources from a wide variety of systems (built in sources allows for quick and easy configuration to gather the data you need)
-Combine with Cribl Strea (When using Edge with Stream, you unlock the power of Stream by using Workers to process the data)

Answer 199

A

-Open source, runtime-agnostic instrument utility for any Linux command or application
-Offers APM-like, black-box instrumentation of an unmodified Linux executable and application
-Interposes itself between applications and share libraries and system calls
-Observe applications from the inside, viewing resource consumption, filesystem traffic and network traffic including clear text payloads

Answer 200

A

-AppScope gives you multiple ways to route collected data.
The basic operations are:
-in a single operation, you can route both events and metrics to Cribl Edge, default configuration
-You can also route both events and metrics to Cribl Stream, local instance or in the Cribl.Cloud
-Support routing events and metrics to a file, a local Unix socket or any network destination, in addition to Cribl Edge and/or Stream

Answer 201

A

-Go to Cribl.io, download from the top menu, download your preference.
-Installing: Load and execute via CLI, done and ready to start working

Answer 202

A

Scope.yml is the sole library configuration file for AppScope. Environment vvariables override configuration settings

Answer 203

A

State ‘Scoping’ - the most basic command: /bin/echo
another command: scope metrics
scope events
scope events 0 (gives info on that event)
scope events -j | jq - events in JSON format

Answer 204

A

scope hist (defaults to last 20)
to scope a specific session use the ID. example: scope hist –id 2

Answer 205

A

‘scope perl’
‘scope events’
‘scope events –id 1 - fs.open’ (file system events)
-a says to output all events
-j outputs events as JSON
-jq filters down to just the file names
sort and uniq helps us find only the unique filenames opened

Answer 206

A

bat log.py
scope python3 log.py

Answer 207

A

scope sh -c ‘echo “some bytes” | nc -w1 localhost 10001’
scope metrics -m net.tx -m net.duration –cols

Answer 208

A

scope events -t net

Answer 209

A

scope flows
scope flows ir1JM1 (flowID)

Answer 210

A

scope curl -so /dev/null http://localhost/
scope events

Answer 211

A

scope metrics -id 1 -g proc.cpu_perc
scope metrics –id 1 -g -m proc.fd

Answer 212

A

Detailed Telemetry: automatically collects application performance data. Automatically collect log data written by the application
Easy Management: Use the CLI when you want to explore in realtime, in an ad hoc way. Use the AppScope library (libscope) for longer-running, planned procedures
Platform Agnostic: Offers ubiquitous, unified instrumentation of any unmodified Linux executable. Supports single-user or distributed deployments

Answer 213

A

scope hist

Answer 214

A

Step 1: A private key (a large prime #) is (always) created first using a took like openssl
Step 2: Using the private key, a public key (another large prime #) is created and embedded in a Certificate Signing Request. This requires specifying minimum set of info: subject’s name (CN=), org name, OU, city, state, country, and possibly subject alternative name (SAN)
Step 3: The CSR is signed, either by it’s own private key or a CA’s key
Step 4: You now have a certificate with a private key

Answer 215

A

-a cert cannot exist without being signed
-public key (in signed certificate) can encrypt/verifiy data
-Private key can decrypt/sign data
-Caveat: Entity possessing the private key may not be the rightful owner

Answer 216

A

-CAs are used to sign Cert Signing Requests
-Public vs Private - depends on the needs such as vetting levels, cost, cert visibility
-The first/top-level CA is the root > assertion of trust
-The second CA is an subordinate/intermediate - option but best practice

Answer 217

A

-Self signed certificates are not simply ones you sign yourself
-self-signed cert is simply one signed by the same entity whose identity it certifies
-Every root CA cert is self-signed
-Every self-signed cert is also a root but not necessarily a CA
-Still provides confidentiality, but authenticity and data integrity are suspect
-CA-signed (public or private) certificates mititgates these issues
-One step further is having the CA root cert deemed a trusted root by applications

Answer 218

A

Increasing trust as u go down the list:
-Unsigned certs (no such thing)
-Self-signed certs
-Private CA-sgned certs
-Public CA-signed certs
-CA-signed certs whereby the CA is deemed trusted

Answer 219

A

-Chains exist when a non-self-signed certificate is involved
-Many public CAs use chains to protect their root certs
-Frequently used within organizations handling their own signing
-Validating chains - starts at the bottom and moves up the chain to the root:
issuer of each cert matches the subject of the next cert (except for the root)
Each cert is signed by the private key corresponding to the next cert up the chain (except root)
Last cert (top of the chain) is the trust achor

Answer 220

A

-Client and server applications are configured with a set of ciphers
-Consist of multiple categories of algorithms
-Many combinations exist as discrete suites
-SSL/TLS versions have cipher suites associated with them
-When a TLS version is released, new ciphers may be provided
-Old ciphers can be deemed insecure > deprecated

Answer 221

A

Protocol: TLS in this example
Key Exchange: During the handshake the keys will be exchanged via ephermeral Ellitic Curve (EC) Diffie Hellman (ECDHE)
Authentication: ESDSA is the authentication algorithm
Bulk Encryption: AES_128_GCM (symmertric), specficially w/ Galois Counter Mode using a 128-bit key size
Hash: SHA-256

Answer 222

A

-Asymmetric encryption will be important any time you are looking to encrypt data from sources/destinations to most modern applications, including Stream
-PKI involves a public key used to encrypt data and a private key used to decrypt the public key encrypted data
-Certificates can be self-signed or signed by a Certificate Authority, self signed can be used for internal to internal encryption

Answer 223

A

Asymmetric

Answer 224

A

Symmetric encryption and Asymmetric encryption

Answer 225

A

Certificate Authority

Answer 226

A

-Cribl Stream encrypts secrets stored on disk
-The keys used for encryption (cribl.secret) are managed by KMS
-The keys are unique to each Worker Group + Leader
-Encryption key can be managed by Cribl Stream or by an external KMS
-Secrets encrypted by the Key: Sensitive information stored in configs and data encryption keys stored as configs

Answer 227

A

-Centralized key management for your organization
-Change and access audit
-High availability key management options
-Minimizing key exposure

Answer 228

A

Stream Internal is the default KMS. Changing your KMS is not available with Stream free license
-to get to KMS Settings: Settings > Security > Secrets
-A System/Leader key; additional keys for each Worker Group
-If HashiCorp Vault or AWS KMS are used, Leader and Worker Nodes must have network access to the external KMS

Answer 229

A

-Keys are set up separately at the Leader and each Worker Group levels to contain secrets access to the Worker Groups and the Leader
-After KMS configuration is performed in Cribl Stream, the specified Secret Path will be created in the Vault

Answer 230

A

-Backup your cribl.secret files before switching to external KMS
-Switching from external to internal KMS while the external KMS is not accessible may render your Cribl Stream environment unusable
-If an external KMS is used, Leader AND Worker Nodes must have access to the external KMS to operate
-Test your KMS configuration in a non-production Cribl Stream environment

Answer 231

A

Separately, in the Leader Node and Worker Groups settings

Answer 232

A

HashiCorp Vault
AWS KMS

Answer 233

A

-Authenticate Client (mutual auth) - if true, server requests client cert. Off by default
-Validate Client - Clients whose certs aren’t authorized (i.e. signed by built-in CAs) have connection denied. Off by default
-Mutual auth enables optional CN validation via regex

Answer 234

A

-Leaf cert expiration and validation of CA chain then
-CN / SAN checks per RFCs
-Only one is checked, regardless of no matches. SAN checked first, if values exist.
-IPs are only accepted if theya re in both SAN and Subject attributes

Answer 235

A

-Stream as a client can validate the remote server certification using Validate server certs toggle
-Some destinations (like AWS) allow rejecting unauthorized (example is self-signed certs)
-If GUI does not provide a Reject Unauthorized toggle, then a global one can be used (Requires a restart and must be included in systemd unit file)

Answer 236

A

generating a self-signed certificate with openssl

Answer 237

A

-For self-signed, simply add the cert to the Certificate field
-Preferably, use the CA Certificate field for importing one or more CA certs. Pros: avoids using NODE_EXTRA_CA_CERTS. Cons: not obvious trusted CA certs are associated with this host cert
-Sub/root CA certs can be added to the Certificate field

Answer 238

A

-Worker nodes should appear identical to external systems
-Worker nodes should internally reflect their individuality for better security
-API and cluster settings on a node can use the same cert reflecting the worker’s name
-Subject (CN is hostname) and SAN should be defined
-Use the SAN to include all possible names
-Manage certs via UI == each worker gets the full cert set

Answer 239

A

-Separate (from API/custer) certs can and should be used (managed via GUI) for src/dst configs to reflect the worker group’s FQDN
-Two Options: Single cert for all workers, or different cert on each worker
-Former is more scalable due to wildcard but validationfails if connecting with IPs
-Depending on details (example key size) some systems may not accept the configured cert
-For both options, trusted root CA (vs internal CA) is preferred and possibly required

Answer 240

A

-TLS can also be configured for Worker to LEader comms using the intance yaml file, environment variables, or via CL
-yaml config will be done via the $CRIBL_HOME/local/_system/instance.yml file under the distributed section

Answer 241

A

Logs:
-$CRIBL_HOME/log/cribl.log
-Certs/TLS errors will be logged here. If workers are not showing up on the leader check the worker logs for cert errors.
-$CRIBL_HOME/local/_system/instance.yml
-Contains TLS settings, helpful if the workers are not connecting

Tools
-openssl s_client -connect host:9000
-This will give you details of the certificate being presented on the port, can be useful to verify the certificate details

Answer 242

A

-TLS can be a complicated feature to enable, proper planning and having a basic understanding of TLS client server architecture can help
-There are multiple places that TLS can be used
-Worker to Leader, Source to Worker, Worker to Destination, Leader GUI
-Have a means to track certificate issuance and expiration
-Use the Stream logs to assist in troubleshooting TLS problems

Answer 243

A

-Worker
-Leader
-NOT Client or Browser

Answer 244

A

-Configure Cribl Member
-Create a Cribl Member user with the correct access to Stream and other products
-Provide the new Cribl Member access to their Worker Group
-Configure Stream Project
-Create a Subscription
-Create a Data Project using the Subscription above
-Add available destinations to the project
-Assign Users
-Give a Cribl member permissions to the Stream Project

Answer 245

A

-Provides control over who has access and visibility within Cribl Projects
-Compliments current authentication methods but will eventually replace them
Settings > Global Settings > Access Management > Members

Answer 246

A

Worker Group > Group Settings > Access Management > Members

Answer 247

A

Admin: Full Access
Editor: Can modify resources within the group
Read Only: has read only access to resources within the group
User: no access unless shared

Answer 248

A

Worker Group > Projects > Subscription

Answer 249

A

Worker Group > Projects > Data Projects

Answer 250

A

-Cribl Admin can provide teams/users with specific data without mdoifying data for other users
-Cribl Members provide granular access to Cribl products including Stream, Edge and Search
-Stream Projects enable users to have control over their data by providing granular access to data flowing through Cribl Stream

Answer 251

A

the team can share complex Cribl Stream data through the subscription

Answer 252

A

-Metrics are a number respresentation of data measured over intervals of time
-Metrics can be an incredibly useful and important part of your observability strategy
-Many logging systems extract and calculate metrics
-Cribl Stream can extract metrics that are not always available

Answer 253

A

-Logs can take up a lot of space and come from multiple systems
-Metrics tend to be leaner and faster
-Solution: Calculate metrics to send to analytics system, and archive the rest

Answer 254

A

-Cribl Stream pipelines contain functions to aggregate or transform logs to metrics
-Extract data from a log line, convert that data to metrics
-Three different functions
-Aggregate
-Publish metrics
-Rollup metrics

Answer 255

A

-Traces represent the end to end request flow through a distributed system
-the data structure of traces looks almost like an event log
-Traces are made up of spans. Spans are events that are apart of a trace

Answer 256

A

-In App Monitoring, traces represent what applications spend time on
-Used by app developers to measure and identify least performant calls in code
-Trace generation and analysis is often done by APM tools

Answer 257

A

Each span begins with: traceid, name, id

Answer 258

A

Cribl Stream can receive and route data without having to stitch, remove irrelevant data, create metric data
Cribl Stream can process raw OptenTelemetry data without app-level changes. Also store raw data indefinitely (such as AWS S3)

Answer 259

A

-API/main process in $CRIBL_HOME/log/directory
-Config Helper process in $CRIBL_HOME/log/group/GROUPNAME directory

Answer 260

A

-API process in $CRIBL_HOME/log/directory
-Worker process in $CRIBL_HOME/log/worker/WP#/directory

Answer 261

A

Pro: Easy to use Cribl Stream to send its own logs
Cons: if something isn’t working, logs might not get sent

Answer 262

A

-Leader itself doesn’t process data, so it can’t forward its own logs
-You can use any file collection option, such as Elastic Filebeat, Splunk Universal Forwarder, Cribl Edge, etc.
-Logs can be collected from the leader via /system/logs API endpoint

Answer 263

A

-Logs can be viewed on disk, Leader UI, or Forwarding
-You have control over logging level or redaction
-Forwarding can be convienent but has trade offs

Answer 264

A

$CRIBL_HOME/log

Answer 265

A

-cribl.log
-access.log
-audit.log
-notifications.log

Answer 266

A

$CRIBL_HOME/log

Answer 267

A

$CRIBL_HOME/log/worker/[wp#]/

Answer 268

A

-Single-Instance (upgrade the instance)
-Distributed Deployment: Upgrade the leader, then the Workers, Commit and Deploy

Answer 269

A

-Default files will be overwritten (check for modifications and custom functions)
-Download package and checksum files if not using CDN

Answer 270

A

Step 1: Stop Stream
Step 2: Back up $CRIBL_HOME (optional)
Step 3: Uncompress new version over the old one
Step 4: Start Stream
Step 5: Validate your Stream environment

Answer 271

A

Step 1: Commit and Deploy (git push to remote repo (optional))
Step 2: Upgrade the Leader (stop Stream, back up $CRIBL_HOME, uncompress new version over the old one, Start Stream
Step 3: Upgrade the Worker Nodes (wait for all the Workers to report to the leader, stop, uncompress new version over the old one, Start Stream)
Step 4: Commit new software version changes (ensure that all workers have reported with new version, commit & Deploy after verifying all workers are upgrade)

Answer 272

A

Stream Settings > System > Upgrade

Answer 273

A

-Cloud Leader and Workers will be automatically upgraded
-Disable Automatic upgrades only applies to customer-managed workers

Answer 274

A

-Upgrade is an install of a new version over the old
-You have the option of manual, UI, or automatic upgrade
-UI Upgrade of workers can be done separately for each worker grou
-You can control how each worker group is upgrade
-Cribl-managed cloud leader and workers upgrade automatically

Answer 275

A

Overwritten

Answer 276

A

Stop > Uncompress > Start

Answer 277

A

-Cribl CDN
-Local path on the server
-HTTP URL

Answer 278

A

-Upgraded after the leader
-Automatically upgraded
-Upgraded by worker group

Answer 279

A

-Single instance deployment can run without Git
-No change tracking or rollbacks
-Mandatory on the leader node for distributed deployments

Answer 280

A

-Track configuration changes
-Compare configuration versions
-Selective commits
-Restore previous configuration version

Answer 281

A

-Make your repository private
-Use .gitignore to exclude wht gets pushed to Git

Answer 282

A

Git
-Single-instance is option
-Distributed is mandatory
-Diff/Commit/Undo/Rollback

Setting up and using Git remote repository
-Make your repository private
-exclude large files

Answer 283

A

1: Make changes in the Development system UI
2: Commit and push changes to remote repository (dev branch)
3: When ready to push changes into Production, create Pull request to move changes from the dev branch to the production branch
4: Merge Pull Request
5: Send notification to Stream to “sync” changes

Answer 284

A

-Follow instructions located at docs.cribl.io
-Set up remote git repo as normal on dev
-Push initial config from dev
-Create dev and prod branches

Answer 285

A

-Use secure protocols such as HTTPS or SSH
-HTTPS using username/password authentication
-SSH uses public/private keys
-Ensure your user accounts are only scoped for least priviledge acces

Answer 286

A

-When using SSH, the private key is stored as $CRIBL_HOME/local/cribl/auth/ssh/git.key
-SSH uses a known_hosts file located at /home/cribl/.ssh/known_hosts
-Import server public keys using the following command (as the cribl user): ssh-keyscan -H <your-git-host.com> >> ~/.ssh/known_hosts</your-git-host.com>

Answer 287

A

-Git will validate SSL certificates when using HTTPS transport
-You should leave this validation enabled
-Self-signed or internal PKI will result in validation failure
-Import non-public CA signed certs for SSL validation

Answer 288

A

-Stream allows for automatic commits and push to remote repository on a scheduled basis
-At a minimum you should set up automatic push
-you can find this configuration under Leader>Git Settings> Scheduled actions

Answer 289

A

-Git can be problematic with large files
-Disable tracking of large lookups by adding files to the .gitignore file in $CRIBL_HOME
-Excluding SSL certificates managed by Stream may cause issues on workers
-Only add exclusions below the CUSTOM SECTION header

Answer 290

A

-Stream’s remote Git push is not a replacement for a comprehensive server backup strategy
-Items outside of $CRIBL_HOME are not tracked inside the Git repository
-Sync files to an S3 bucket for example

Answer 291

A

-Use secure protocols for transport
-Protect authentication keys and use least privileged access
-Add certificates for SSL validation (if required)
-Set up a scheduled push to the remote repository
-Exclude large lookup files
-Git is not a comprensive backup strategy for the Leader node

Answer 292

A

$CRIBL_HOME/.ssh/known_hosts

Answer 293

A

Binding to a priviledge port
Too many open files
Out of memory
Cloning workers
resetting lost passwords
pipeline profiling

Answer 294

A

-Stream should be running as a non root using
-If Cribl Stream is required to listen on ports 1-1024, it will need privileged access. You can enable this on systemd by adding this configuration key to your override.conf file: AmbientCapabilities=CAP_NET_BIND_SERVICE

Answer 295

A

EMFILE too many open files
-When creating partitions avoid high cardinality fields in your expression
Raise the number of files
-For the following destinations, configure Max File options to avoid errors: Filesystem/NFS, Azure Blob, Google Cloud, Amazon S3
Increase Ulimit for Max Open Files (NOFILE)
-Edit systemd file to contain a line similar to the one here: LimitNOFILE=20248

Answer 296

A

Out of Memory (OOM) errors are shown in the cribl_stderr.log file
Lookups
Aggregations

Answer 297

A

Worker GUID
-When you first install and run the software, Cribl Stream generate a GUID which it stores in a .dat file located in $CRIBL_HOME/local/cribl/auth
-When deploying Cribl Stream as part of a host image or VM, be sure to remove this.dat file, so that you do not end up with duplicate GUIDs. Cribl Stream will regenerate the file on the next run

Answer 298

A

Cribl.secret file is located in $CRIBL_HOME/local/cribl/auth.cribl.secret

Answer 299

A

blah blah blah

Answer 300

A

Privileged Port Binding
-lower level port privleges
Too many open Files
-high cardinality path naming
Out of Memory
-Aggregations overloading memory
Cloning Workers
-Removal of DAT file containing the GUID
Lost Passwords
-Plaintext Password replacement in Users.json
Pipeline Profiling
-Helps with troubleshooting pipeline related issues

Answer 301

A

-Run as root (ONE IS WRONG)
-IPtables (ONE IS WRONG)
-Systemctl settings THIS IS CORRECT

Answer 302

A

$CRIBL_HOME/local/auth/users.json

Answer 303

A

-High Cardinality Naming
-High number of incoming connections
-Large amount of persistent queuing

Answer 304

A

Lookups and Aggregations

Answer 305

A

$CRIBL_HOME/local/cribl/auth/*.dat

Answer 306

A

-/proc/sys/fs/file-max
-systemd/system/cribl,service
-/etc/sysctl.conf
-/etc/security/limits.conf

Answer 307

A

anything lower than 1024

Answer 308

A

-Run collector jobs
-Receives data from sources
-sends data to destinations
NOT backs up to Git (local only)

Answer 309

A

20000-20010

Answer 310

A

-Persistant Queuing
-Volume of data incoming?
number of destinations??? I think this answer is wrong
i think correct answer might be type of data processing required

Answer 311

A

-Distributed Stream instance with Leader in Cribl.Cloud and Workers on prem
-Distributed Stream instance with Leader and workers in Cribl.Cloud

Answer 312

A

7 Worker Nodes

Answer 313

A

-Integration with Okta for Authentication
-GitHub Integration

Answer 314

A

Stream TCP and Stream HTTP

Answer 315

A

Higher reliability
unlimited scalability

Answer 316

A

Stream to Stream

Answer 317

A

-Reducing Analytics tool or SIEM spend
-Replaying historical data for threat hunting exercise

Answer 318

A

the name of your pipeline

Answer 319

A

Splunk
Logstash
WRONG

Answer 320

A

Splunk HEC TLS (WRONG ANSWER)

Answer 321

A

Filebeats and Winlogbeats

Answer 322

A

Collectors

Answer 323

A

Data is captured prior to sending to a destination

Answer 324

A

Easier to report in Splunk (WRONG ANSWER)

Answer 325

A

-Sending a full-fidelity copy of an event to S3 and a transformed copy of the event to Splunk
-Sending a filter of events to a Splunk instance, and a filter of other events to an Elastic Instance
ONE OF THESE IS WRONG

Answer 326

A

-Setup a notification when destinations are unhealthy
-Poll the REST API to see if any pipelines are dropping events
WRONG ANSWER

Answer 327

A

Leader sends a request to the first available Worker node, Worker node sends a list of files back to the leader

Answer 328

A

-Netcat or wget from a worker to destination
-run a capture and select ‘before destination’ within Cribl

Answer 329

A

All files will remain open until timeout or max file size is reached

Answer 330

A

Asymmetric

Answer 331

A

cribl.log
notifications.log

Brainscape's Knowledge GenomeTM

Cribl Admin CCOE Flashcards

Brainscape's Knowledge Genome^TM