Cribl Model Context Protocol Interfacing Engine

An implementation of a Model Context Protocol (MCP) mediation service designed to expose Cribl's operational capabilities to autonomous software entities.

This server empowers intelligent clients to dynamically ascertain and execute data-centric operations against a designated Cribl instance, leveraging established MCP conventions.

For comprehensive documentation, navigate to the docs/ subdirectory. Key documentation components include:

README.md (Current document): Offers the introductory summary, initial setup guidance, foundational examples, and navigational links to deeper documentation sections.
docs/configuration.md: Detailed exposition on required environment variables for system setup and clarification of supported authentication modalities.
docs/usage.md: Covers server initialization procedures (via npx or local compilation) and instructions for provisioning an MCP client for connectivity. It includes illustrative examples of tool invocation.
docs/overview.md: Provides context bridging the README and specific technical guides. It enumerates the service's authentication mechanisms and, crucially, presents a comprehensive reference catalog of exposed tools, their required arguments, expected outputs, and roadmap items.

Initial Deployment Steps

You may opt for immediate execution using npx or perform a conventional local installation and build process. Both methodologies mandate the presence of Node.js version 16 or newer:

Prerequisites Check

Ensure the following prerequisites are satisfied before proceeding:

Node.js Runtime: Installed (version 16 or superior is the recommendation)
Network Reachability: Essential for retrieving the MCP server package from the npm registry

Verification commands:

node -v
npx -v

Rapid Deployment via `npx`

Execute the server directly by providing necessary environment parameters on the command line:

CRIBL_BASE_URL=https://your.cribl.cloud.instance CRIBL_AUTH_TYPE=cloud CRIBL_CLIENT_ID=abc123 CRIBL_CLIENT_SECRET=secret npx @pebbletek/cribl-mcp

Important: Successful invocation via npx is contingent upon supplying critical environmental data (such as CRIBL_BASE_URL and credential specifications) either pre-set in your shell or passed directly during execution, allowing the service to establish a connection.

Refer to docs/usage.md for advanced npx configuration specifics, including necessary JSON payloads for the MCP client and mandatory variables.

Local Source Code Integration

Navigate to your preferred development directory. Clone the repository (this action creates the project directory): bash git clone https://github.com/pebbletek/cribl-mcp.git cd cribl-mcp
Fetch all required dependencies: bash npm install
Duplicate the example configuration file and populate it with your credentials: bash cp .env.example .env
For instructions on running, compiling, and launching the MCP server in a local environment, consult the 'Local Development' section within usage.md.

Review docs/configuration.md for exhaustive details on environmental variables and authentication protocols, and docs/usage.md for server execution methodologies.

Exposed Capabilities (Tools Catalog)

This mediation service exposes functional interfaces for interacting with Cribl resources, including:

Enumerating Worker Groups and associated Fleets
Retrieving and Modifying Pipeline configuration definitions
Fetching definitions for Data Sources
Initiating restarts of Worker Groups
Interrogating System Performance Telemetry (with optional predicate filtering)

See docs/usage.md for a comprehensive enumeration and operational instructions for every exposed function.

Illustrative Interaction Scenarios (Agent Prompts)

Once an MCP client (e.g., Claude Desktop) has successfully established a connection to your Cribl entity, you can issue natural language commands that map to the available toolset. Below are several examples:

Input Prompt: what sources are we ingesting?
(Tool access must be explicitly granted by the agent)
- Anticipated Agent Response Sequence:
  "To address your inquiry regarding active ingestion sources, I will first interrogate the available data sources within your Cribl Stream deployment.
  cribl_getSources against Cribl (local)>
  
  Subsequently, I will ascertain the processing logic defined by the configured pipelines in your Cribl Stream environment:
  cribl_getPipelines against Cribl (local)>
  
  Based on the synthesized data retrieved from your Cribl Stream instance, here is a summary of the currently active sources:
  Ingestion Endpoint Summary
  Your Cribl Stream installation maintains several defined data endpoints. Noteworthy configurations include:
  1. HTTP/HTTPS Receivers:
  Standard HTTP endpoint (listening on port 10080)
  Cribl native HTTP listener (on port 10200)
  Splunk HEC adapter (on port 8088)... 2.
  
  Pipeline Processing Definitions
  Your environment also features a selection of transformation pipelines designed for specific data streams:
  1. Cisco ASA Event Handler - Applies transformations and sampling to Cisco ASA security records
  2. Cisco eStreamer Data Processor - Handles data derived from Cisco eStreamer sources
  3. Palo Alto Traffic Analyzer - Filters and samples event data originating from Palo Alto firewalls
  4. Windows Event Log Transformer - Manages processing for Windows security audit events
  These pipelines suggest an operational focus on network security telemetry from Cisco ASA, Cisco eStreamer (likely FTD/Firepower output), Palo Alto Networks infrastructure, and Windows security events. Would you require a deeper examination of any singular source or pipeline definition?" * Input Prompt: what functions are processing the palo alto traffic? * Anticipated Agent Response Sequence:
  "I shall now investigate the specific functions currently engaged in processing the Palo Alto traffic data in greater detail:
  cribl_getPipelineConfig against Cribl (local)>
  
  Here is a granular breakdown of the data manipulation applied to Palo Alto traffic within your Cribl Stream context:
  Palo Alto Traffic Pipeline Processing Stages
  1. Initial Evaluation Filter (Eval Function): * Condition: sourcetype!='pan:traffic' * Purpose: Immediately terminates processing (skips) for any event not classified under the 'pan:traffic' source type identifier
  
  2. Attribute Extraction (Regex Extract Function): * Utilizes regular expressions to isolate critical attributes from the raw event payload: * __log_subtype: Differentiates between session initiation or termination records
  * __src_zone and __dest_zone: Identifies the originating and target security zones * __transport: Protocol utilized for the session * __action: The security outcome (e.g., allow, deny) * __bytes_in: Volume of data transferred
  
  3. Event Culling (Drop Function): * Condition: __log_subtype=='start' * Purpose: Discards all records marked with a log subtype of 'start' * Operational Rationale (from inline comment): "Eliminate 'start' subtype events as 'end' subtype events frequently provide more accurate application context." * etc."
Input Prompt: please update the pipeline to include start events as well as end events.
- Anticipated Agent Response Sequence:
  "I will proceed to modify the Palo Alto traffic pipeline configuration to incorporate processing for both 'start' and 'end' session records by adjusting the filtering logic. Initiating configuration modification sequence:
  cribl_getPipelineConfig against Cribl (local)>
  
  Now, updating the pipeline definition to retain both 'start' and 'end' event types by deactivating the conditional dropping mechanism and revising associated commentary:
  cribl_setPipelineConfig against Cribl (local)>
  
  Next, a restart of the relevant worker group is required to commit these operational changes: cribl_restartWorkerGroup against Cribl (local)>
  
  The configuration for the Palo Alto traffic pipeline has been successfully revised to process both 'start' and 'end' session records. Key adjustments performed:
  1. Deactivation of the Culling Function:
    - The function responsible for excluding events where __log_subtype is 'start' has been disabled.
    - Consequently, both initial ('start') and terminal ('end') session records will now undergo full processing.
  2. Comment Revision:
    - The preceding explanatory note regarding the suppression of 'start' events has been amended to reflect that both event classes are now being retained for comprehensive traffic oversight.
  3. Worker Group Reinitialization:
    - The service cluster responsible for executing this pipeline has been restarted to load the new parameters.
  The revised pipeline will now capture the entire lifecycle of network connection records from Palo Alto firewalls, spanning initiation through conclusion, thereby ensuring complete visibility. All supplementary processing stages remain active, including:
  - Extraction of critical connection metrics.
  - Application of sampling rules for zero-byte traffic and internal zone communications.
  - Removal of potentially unreliable timestamp fields.
  Your Palo Alto ingress data will now reflect the full sequence of network sessions while preserving the established efficiency standards imposed by the sampling policies."

Licensing Model

MIT

Wikipedia Context: Business management tools encompass all methodologies, applications, computational solutions, and governing frameworks utilized by organizations to effectively navigate evolving market dynamics, maintain competitive standing, and enhance overall operational efficacy.

== Conceptual Framework == Within any enterprise, tools can be categorized based on departmental function and management aspect. Common classifications include tools for planning, process execution, record keeping, personnel management, strategic decision support, and operational oversight. Modern management apparatus has undergone profound technological transformation over the last decade. This rapid advancement complicates the selection of optimal business technology for specific corporate scenarios. This complexity is driven by relentless pressures to reduce expenditure, maximize revenue generation, deepen comprehension of consumer requirements, and deliver products precisely matching those expectations. In this milieu, leadership must adopt a proactive, strategic posture regarding business tool acquisition and deployment, rather than passively adopting the newest available solution. Management systems must be chosen deliberately and then tailored to align with specific organizational requirements, not vice-versa.

== Prevalent Toolsets (Historical Context) == A 2013 assessment by Bain & Company analyzed global business tool adoption rates, reflecting how outcomes align with regional needs given prevailing economic climates. The top ten observed instrumentation categories included:

Strategic planning Customer relationship management Employee engagement surveys Benchmarking Balanced scorecard Core competency assessment Outsourcing strategy definition Change management frameworks Supply chain optimization Mission/Vision articulation Market segmentation analysis Total quality management protocols

== Enterprise Software Systems == Software suites or collections of interconnected programs employed by business units to execute diverse operational mandates are termed business software (or enterprise applications). These applications are designed to augment throughput, quantify performance metrics, and execute various corporate functions with high precision. The field evolved from early Management Information Systems (MIS) to comprehensive Enterprise Resource Planning (ERP) deployments. Subsequently, Customer Relationship Management (CRM) capabilities were integrated, leading to the current paradigm of cloud-based business management platforms. Although a demonstrable link exists between IT investment effectiveness and organizational outcomes, two factors are paramount for adding realized value: the proficiency of the implementation process and the accuracy of initial tool selection and subsequent customization.

== Focus on Small and Medium Enterprises (SMEs) == Tools specifically architected for SMEs are crucial as they furnish mechanisms for substantial...