A Model Context Protocol (MCP) server that enables AI interactions with the Cribl API.
This server allows AI clients to discover and invoke data operations from a Cribl deployment, using standardised MCP tooling.
For detailed documentation, please see the docs/ directory. Here's a breakdown of the documentation files:
README.md(this file): Provides the highest-level introduction, quick start instructions, very basic examples, and links to the docs directory.docs/configuration.md: Focuses specifically on the environment variables needed for configuration and explains the authentication modes. It's purely about setup.docs/usage.md: Focuses on how to run the server (via npx or local development commands) and how to configure an MCP client to connect to it. It provides conceptual examples of invoking the tools.docs/overview.md: Sits between the README and the specific config/usage docs. It details what the server offers in terms of authentication and, most importantly, provides a detailed reference guide to the available tools and their specific parameters/outputs, and future tools.
You can either install and run locally, or execute instantly via npx. npx saves you installing Git, dependencies, or any build tools. Both scenarios require you to have node later than version 16 installed:
To run this server ensure the following:
- Node.js is installed (version 16 or later recommended)
- Internet access is available (to fetch the MCP server package from npm)
You can install Node.js from https://nodejs.org.
To verify your setup:
node -v
npx -vCRIBL_BASE_URL=https://your.cribl.cloud.instance CRIBL_AUTH_TYPE=cloud CRIBL_CLIENT_ID=abc123 CRIBL_CLIENT_SECRET=secret npx @pebbletek/cribl-mcpNote: Running npx requires essential environment variables (like CRIBL_BASE_URL and authentication details) to be set either in your environment or passed directly on the command line for the server to connect successfully.
See docs/usage.md for advanced npx usage configuration, including relevant JSON for your MCP client, and required variables.
- Browse to a high-level folder where you'll store the code base (cloning will create the containing folder). Clone the repo:
git clone https://github.com/pebbletek/cribl-mcp.git cd cribl-mcp - Install dependencies:
npm install
- Copy the
.env.examplefile and populate the required values:cp .env.example .env
- See usage.md > Local Development for running, building and starting the mcp server
See docs/configuration.md for details on environment variables and authentication, and docs/usage.md for running the server.
This server exposes the following MCP tools, organized by category. Most group-scoped tools accept an optional groupName parameter — if omitted, the server auto-resolves to the default worker group.
| Tool | Description |
|---|---|
cribl_listWorkerGroups |
Lists worker groups/fleets, filterable by product type (stream, edge, search, all) |
cribl_getWorkerGroupStatus |
Returns operational status for worker groups (worker count, config version, etc.) |
cribl_getWorkers |
Lists individual worker nodes with hostname, status, version, CPU, and memory usage |
cribl_restartWorkerGroup |
Restarts all workers within the default worker group |
cribl_getSystemInfo |
Retrieves system info including version, build, license, and uptime |
cribl_getSystemMetrics |
Queries system metrics with optional filtering (filterExpr, metricNameFilter, time range, etc.) |
cribl_getAppLog |
Fetches recent application log entries, with optional limit and filter |
cribl_getUsers |
Lists user accounts including usernames, roles, and disabled status |
cribl_getAlerts |
Fetches system alerts/messages with pagination and filtering support |
cribl_getNotifications |
Fetches notification rule definitions (alert rules that trigger on conditions) |
| Tool | Description |
|---|---|
cribl_getPipelines |
Lists pipeline definitions in a worker group |
cribl_getPipelineConfig |
Retrieves the full configuration JSON for a specific pipeline |
cribl_setPipelineConfig |
Applies a new configuration payload to a pipeline |
cribl_createPipeline |
Creates a new pipeline with specified functions |
cribl_deletePipeline |
Deletes a pipeline from a worker group |
cribl_previewPipeline |
Sends sample events through a pipeline and returns transformed output for testing |
| Tool | Description |
|---|---|
cribl_getRoutes |
Lists route configurations (source -> pipeline -> destination mappings) |
cribl_createRoute |
Creates a new route with output, filter, pipeline, and enabled settings |
cribl_toggleRoute |
Enables or disables an existing route |
cribl_deleteRoute |
Deletes a route from a worker group |
| Tool | Description |
|---|---|
cribl_getSources |
Lists source (input) configurations in a worker group |
cribl_createSource |
Creates a new source (e.g., syslog, http, splunk_tcp, kafka) |
cribl_updateSource |
Updates fields on an existing source configuration |
cribl_deleteSource |
Deletes a source from a worker group |
cribl_getDestinations |
Lists destination (output) configurations in a worker group |
cribl_createDestination |
Creates a new destination (e.g., s3, splunk, syslog, kafka) |
cribl_updateDestination |
Updates fields on an existing destination configuration |
cribl_deleteDestination |
Deletes a destination from a worker group |
| Tool | Description |
|---|---|
cribl_getLookups |
Lists lookup file definitions in a worker group |
cribl_getLookupContent |
Fetches the actual data content (columns and rows) of a lookup file |
cribl_uploadLookup |
Creates or updates a lookup file with provided fields and rows |
cribl_getPacks |
Lists installed packs in a worker group |
cribl_getSamples |
Lists sample data files in a worker group |
cribl_getSampleData |
Fetches the actual event content of a sample data file |
cribl_getEventBreakers |
Lists event breaker rulesets |
cribl_getGlobalVariables |
Lists global variables defined in a worker group |
cribl_getRegexLibrary |
Lists named regex patterns from the regex library |
cribl_getParserLibrary |
Lists parser definitions for extracting structured fields from raw data |
cribl_getSchemas |
Lists schema definitions for expected event structure |
cribl_getDatasets |
Lists dataset providers in a worker group |
| Tool | Description |
|---|---|
cribl_getJobs |
Lists jobs in a worker group |
cribl_getCollectors |
Lists collector configurations (scheduled data collection) |
cribl_runCollectorJob |
Triggers an on-demand run of a collector job |
| Tool | Description |
|---|---|
cribl_versionControl |
Detects if git version control is enabled and shows remote repo, branch, and status |
cribl_getGitDiff |
Shows uncommitted configuration changes (git diff) — use before committing |
cribl_commitPipeline |
Commits staged config changes to version control with a message |
cribl_deployPipeline |
Deploys a specific committed version to a worker group |
| Tool | Description |
|---|---|
cribl_runSearch |
Submits a search job to Cribl Search, returns a job ID for polling |
cribl_getSearchResults |
Retrieves results for a previously submitted search job |
For detailed parameter documentation and usage instructions, see docs/overview.md.
Once connected via an MCP client (like Claude Desktop), you can interact with your Cribl instance using natural language prompts that leverage the available tools. Here are some examples:
-
Prompt:
what sources are we ingesting?
(you will need to allow the MCP client access to the tool)-
Response will be something like:
"To answer your question about ingested sources, let me check the available data sources in your Cribl Stream environment.
<View result from cribl_getSources from Cribl (local)>Let me also check what pipelines are configured in your Cribl Stream environment:
<View result from cribl_getPipelines from Cribl (local)>Based on the information I've retrieved from your Cribl Stream environment, here are the sources you are ingesting:
Active Data Sources
Your Cribl Stream instance has several configured data sources, with the following notable ones:- HTTP/HTTPS Sources:
HTTP source (port 10080)
Cribl HTTP (port 10200)
Splunk HEC (port 8088)... - <etc.>
Pipeline Configurations
Your environment also has several pipelines configured for processing specific data types:- Cisco ASA events - Filters and samples Cisco ASA security logs
- Cisco eStreamer data - Processes Cisco eStreamer data
- Palo Alto traffic events - Filters and samples Palo Alto traffic logs
- Windows Event Logs - Processes Windows security event logs
These pipelines suggest you're ingesting network security logs from Cisco ASA firewalls, Cisco eStreamer (likely from Firepower/FTD devices), Palo Alto Networks firewalls, and Windows security events.
Would you like more detailed information about any specific source or pipeline configuration?" - HTTP/HTTPS Sources:
-
-
Prompt:
what functions are processing the palo alto traffic?-
Response:
"Let me examine the functions that are processing the Palo Alto traffic in more detail:
<View result from cribl_getPipelineConfig from Cribl (local)>Here's a detailed breakdown of how the Palo Alto traffic data is being processed in your Cribl Stream environment:
Palo Alto Traffic Pipeline Functions
1. Initial Filter (Eval):- Filter: sourcetype!='pan:traffic'
- Description: Short-circuits (skips) all events that are NOT of sourcetype 'pan'
- This is set as a final function, meaning if the condition is true, processing stops for that event
2. Field Extraction (Regex Extract):
- Extracts several key fields from the raw event using regex pattern matching:
- __log_subtype: Identifies if the log is a start/end record
- __src_zone and __dest_zone: Source and destination security zones
- __transport: Transport protocol
- __action: Action taken (allow, deny, etc.)
- __bytes_in: Bytes received
3. Filtering Events (Drop):
- Filter: __log_subtype=='start'
- Description: Drops all events with log subtype of 'start'
- Rationale (from comment): "Drop events of log_subtype=start as they often have incorrect app assignment. Log_subtype=end contain better information."
- etc."
-
-
Prompt:
please update the pipeline to include start events as well as end events.-
Response:
"I'll update the Palo Alto traffic pipeline to include both "start" and "end" events by modifying the configuration. Let me make this change for you:
<View result from cribl_getPipelineConfig from Cribl (local)>Now I'll update the pipeline configuration to keep both "start" and "end" events by disabling the drop function and updating the comments:
<View result from cribl_setPipelineConfig from Cribl (local)>Now let's restart the worker group to apply these changes: <View result from cribl_restartWorkerGroup from Cribl (local)>
The Palo Alto traffic pipeline has been successfully updated to include both "start" and "end" events. Here's what I modified:
-
Disabled the Drop Function:
- The function that was filtering out __log_subtype=='start' events has been disabled
- This means both "start" and "end" session events will now be processed
-
Updated the Comment:
- Changed the comment from explaining why "start" events were being dropped to noting that both event types are now being kept for complete traffic visibility
-
Restarted the Worker Group:
- Applied the changes by restarting the Cribl Stream worker group
The updated pipeline will now process both "start" and "end" events from your Palo Alto firewalls, giving you complete visibility into traffic sessions from initiation through completion. All other processing functions remain in place, including:
- Field extraction for key traffic attributes
- Sampling for zero-byte traffic and trusted zone traffic
- Removal of unreliable date fields
Your Palo Alto traffic data will now include the complete lifecycle of network connections while still maintaining the efficiency benefits of the sampling rules."
-
-
MIT