AppScope supports TLS over TCP connections. Here's how that works:
For security's sake, AppScope never opens ports, nor does it listen for or allow incoming connections.
To enable TLS: In the
scope.yml config file, set the
transport : tls : enable element to
To see the TLS-related environment variables, run the command:
ldscope --help configuration | grep TLS
AppScope uses TLS by default to communicate with Cribl Stream over TCP on Cribl.Cloud. Cribl Stream has an AppScope Source ready to use out-of-the-box.
Within Cribl.Cloud, a front-end load balancer (reverse proxy) handles the encrypted TLS traffic and relays it to the AppScope Source port in Cribl Stream. The connection from the load balancer to Cribl Stream does not use TLS, and you should not enable TLS on the AppScope Source in Cribl Stream. No changes in Cribl Stream configuration are needed.
AppScope connects to your Cribl.Cloud Ingest Endpoint on port 10090. The Ingest Endpoint URL is always the same except for the Cribl.Cloud Organization ID, which Cribl Stream uses in the hostname portion, in the following way:
If you disable TLS, the port is 10091.
scope run with the
-c option (in this example, we're scoping
scope run -c tls://host:10090 -- ps -ef
To connect AppScope to a Cribl.Cloud-managed instance of Cribl Stream using TLS:
transport : tls : enableelement in
To enable TLS in
scope.yml, adapt the example below to your environment:
cribl: enable: true transport: type: tcp # don't use tls here, use tcp and enable tls below host: in.main-default-<organization>.cribl.cloud port: 10090 # cribl.cloud's port for the TLS AppScope Source tls: enable: true validateserver: true cacertpath: ''
If you prefer to connect to Cribl Stream on Cribl.Cloud without encryption, connect to port 10091 instead of port 10090, and disable the
tls element in
No changes in Cribl Stream configuration are needed.