--- title: Troubleshoot using Cribl Stream with Cloud SIEM description: >- Investigate issues with sending out-of-the-box Cloud SIEM content with Cribl, and explore options on how to fix your configuration so your dashboards and detection rules work as expected. breadcrumbs: >- Docs > Datadog Security > Cloud SIEM > Cloud SIEM Guides > Troubleshoot using Cribl Stream with Cloud SIEM --- # Troubleshoot using Cribl Stream with Cloud SIEM ## Overview{% #overview %} Cloud SIEM applies detection rules to all processed logs so it can detect threats and surface them as security signals. For out-of-the-box content (such as dashboards, log pipelines, and detection rules) to work correctly, Datadog must receive logs with the right `ddsource` value and with the log content in the `message` field. When you use the [Cribl Stream](https://docs.datadoghq.com/integrations/cribl-stream.md) integration to route logs to Datadog, the default destination configuration causes logs to arrive in an unexpected format. Using passthrough, Cribl serializes the entire event as a JSON string and places it inside the `message` field. This prevents Datadog from parsing the logs correctly, so OOTB dashboards do not populate and detection rules do not fire. This guide explains the root cause of this behavior and how to configure your Cribl Datadog destination to forward logs in the correct format. ## How Cribl sends data by default{% #how-cribl-sends-data-by-default %} When Cribl forwards logs to Datadog without a pipeline and using passthrough, and the **Message Field** in the Datadog destination is left blank, Cribl wraps the entire event—including the raw log line, timestamp, host, source, and any other fields—into a JSON string and places it inside the `message` field. For example: ```json [ { "message": "{\"_raw\":\"2024-01-15 INFO user=john action=login src=10.0.0.1\",\"_time\":1705276800,\"host\":\"web-01\",\"source\":\"crowdstrike\",\"level\":\"INFO\",\"user\":\"john\"}", "hostname": "web-01", "ddsource": "crowdstrike", "ddtags": "env:prod" } ] ``` In this format, the actual log content is buried inside a stringified JSON object under `_raw`. Because the `message` field Datadog receives is not the raw log line, Datadog's log pipelines cannot parse it correctly, and OOTB dashboards and detection rules do not apply. ## Configure Cribl to forward logs correctly{% #configure-cribl-to-forward-logs-correctly %} To fix this, configure the **Message Field** in your Cribl Datadog destination to use `_raw`. This tells Cribl to extract only the raw log content and send it as the `message` value, dropping the JSON wrapper. With this setting in place, Datadog receives the log in the correct format, which allows Datadog to parse the log correctly through the appropriate log pipeline: ```json [ { "message": "2024-01-15 INFO user=john action=login src=10.0.0.1", "hostname": "web-01", "ddsource": "crowdstrike", "ddtags": "env:prod" } ] ``` 1. In Cribl Stream, navigate to **Routing** and open your **Datadog destination** configuration. 1. Under the **Message Field** setting, enter `_raw`. 1. Set the `ddsource` field to the correct value for your log source (for example, `crowdstrike` for CrowdStrike Falcon logs). This value determines which Datadog log pipeline, dashboards, and detection rules are applied. 1. Save and deploy your changes. For details on configuring the Datadog destination in Cribl, see the [Cribl documentation](https://docs.cribl.io/stream/destinations-datadog/#configure-cribl-stream-to-output-to-datadog). ### Verify your configuration{% #verify-your-configuration %} After updating your Cribl destination configuration: 1. Go to [Log Explorer](https://app.datadoghq.com/logs). 1. Search for logs from your source (for example, `source:crowdstrike`). 1. Open a log and confirm the `message` field contains the raw log line (not a JSON-wrapped string). 1. Confirm that log pipeline processing has been applied correctly by checking that the log's attributes are parsed as expected. If logs are appearing and parsing correctly, your Cribl configuration is working as expected and OOTB Cloud SIEM content is applied properly. ## Further reading{% #further-reading %} - [Cloud SIEM](https://docs.datadoghq.com/security/cloud_siem.md) - [Out-of-the-box Cloud SIEM detection rules](https://docs.datadoghq.com/security/default_rules.md) - [Create custom detection rules](https://docs.datadoghq.com/security/cloud_siem/detection_rules.md) - [Log pipelines](https://docs.datadoghq.com/logs/log_configuration/pipelines.md)