Using TLS for Secure Connections

AppScope supports TLS over TCP connections:

  • AppScope can use TLS when connecting to LogStream or another application (including its events and metrics destinations).
  • LogStream can use TLS when connecting to AppScope over TCP.

To see the TLS-related environment variables, run the command: ldscope --help configuration | grep TLS

In the scope.yml config file, the transport definition includes an optional tls element. See Config Files.

Using TLS in Cribl.Cloud

In Cribl.Cloud, when communicating with LogStream, AppScope uses TLS by default.

Within Cribl.Cloud, a front-end load balancer (reverse proxy) handles the encrypted TLS traffic and relays it to the AppScope Source port in LogStream. The connection from the load balancer to LogStream does not use TLS, and you should not enable TLS on the AppScope Source in LogStream. No changes in LogStream configuration are needed.

AppScope connects to port 10090 of the Cribl.Cloud Ingest Endpoint. Use the tenant hostname you were assigned when you joined Cribl.Cloud.

CLI usage

Use scope with the -c option:

scope -c tls://host:10090

Configuration for LD_PRELOAD or ldscope

To connect AppScope to a LogStream Cloud instance using TLS:

  1. Enable the tls element in scope.yml.
  2. Connect to port 10090 on your Cribl.Cloud Ingest Endpoint.

To enable TLS in scope.yml, adapt the example below to your environment:

cribl:
  enable: true
  transport:
    type: tcp  # don't use tls here, use tcp and enable tls below
    host: in.logstream.example-tenant.cribl.cloud
    port: 10090 # cribl.cloud's port for the TLS AppScope Source
    tls:
      enable: true
      validateserver: true
      cacertpath: ''

Scoping Without TLS

If you prefer to communicate in without encryption, connect to port 10091 instead of port 10090.

If it is enabled, disable the tls element in scope.yml.

If connecting to LogStream in Cribl.Cloud, no changes in LogStream configuration are needed.