These docs are for Cribl Edge 4.11 and are no longer actively maintained.
See the latest version (4.13).
Installing Cribl Edge on Windows
You can install Cribl Edge in a supported Windows environment.
Supported Windows Versions
Cribl Edge supports these versions of Windows:
Version | Notes |
|---|---|
| Windows 10 and 11 | You can deploy Cribl Edge on laptops, desktops, and workstations running Windows 10 and 11. Keep these things in mind when deploying Cribl Edge on Windows 10 and 11 workstations:
|
| Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025 | Functionality is the same as generally supported Windows Server platforms. |
Before You Install Cribl Edge on Windows
- Set a compatible browser as your default browser: Microsoft Edge, Firefox, or Chrome. (We support the five most-recent versions of these browsers. Cribl Edge is not compatible with Internet Explorer.)
- Cribl Edge on Windows relies on PowerShell for certain operational tasks. Verify that PowerShell is installed and accessible on your Windows systems.
- Ensure that the required ports are available (see Network Ports).
- Go to the Cribl Download page and set the Software drop-down to
Cribl Edge for Windows. - Click Download Now to get the
.msiinstaller.
You can also concatenate and copy/paste the bootstrap script in your command prompt to add Windows Nodes.
To install Cribl Edge, you might need to add exceptions to your antivirus or endpoint security tools (such as Windows Defender). For details, see Installing or Upgrading Nodes with Endpoint Security.
About Environment Variables
Environment variables specified during installation are added to the service configuration in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cribl in the Environment key.
When setting environment variables:
- You can add but not remove environment variables using the interactive wizard.
- Variables are merged in the following priority order (highest to lowest):
- Variables specified via command line during installation.
- Existing environment variables already configured for the service.
This ensures that command-line specifications take precedence over existing configurations, while preserving any previously set variables not explicitly overridden.
The CRIBL_VOLUME_DIR variable is stored separately in the Windows registry using the NSSM configuration path, which is different from where other environment variables are stored. NSSM is the service management tool used by Cribl Edge to run as a Windows service. For details, see What is the nssm.exe process in the Frequently Asked Questions section below.
Select the Installation Type
You now have two installation options:
- Launch the
.msito install via an interactive wizard. - Use the
.msito install via a command prompt, or to script bulk installs.
Either method installs Cribl Edge as a Windows service. This enables Cribl Edge to automatically restart whenever the Windows Server reboots.
If you are on Cribl.Cloud, the Enabling TLS After Installation section will walk you through creating an instance.yml file upon initial Cribl Edge/Windows installation, and then copying it to the same location for each subsequent install.
Please see Known Issues for any current limitations on automatic version upgrades.
Use the Wizard
Double-click the Cribl Edge
.msito launch the Cribl Edge Setup Wizard. Select Next to start.Read the End-User License Agreement and check the box to accept the terms. For the most current copy and details, see Terms of Service.
On the wizard’s next page, confirm or change the Destination Folder. (The default path will expand as
C:\Program Files\Cribl).
Select location If the installer detects a config file from a previous Cribl Edge installation, the modal will ask you if you want to keep your current config or create a new config file for the installation. Select Keep config to persist your previous configurations stored in the
instance.ymlfile.
Keep Config Select either Managed or Single-instance as the installation type. See Types of Deployment for information on these options.
If you chose Keep config in the previous window, the installer will skip the installation type selection.
For Cribl.Cloud, Select Managed Edge Node.
Select installation type If you select Managed mode, enter the Leader hostname or IP address, port, auth token, and optionally the Fleet and any tags.
Connection Details Select a Windows account type for the Cribl Edge service:
- Local System Account: The default account type. This is a local Windows service account that does not have a corresponding user profile.
- Username / Password: Enter your Username and Password credentials to run Cribl Edge. To successfully log Cribl Edge as a service, you might need to include the domain name in the Username.
Use Credentails Optionally Create a desktop shortcut.
Desktop shortcut option On the final Ready to Install page, click Install to confirm.
Installation summary When installation is complete, double-click the Cribl Edge icon on your Desktop or File Explorer. This will launch Cribl Edge’s login page in your default browser. Or go to
http://localhost:9420and log in with default credentials (admin:admin).
As of Cribl Edge v.4.0, the modified data (including the
instance.yml) now goes toC:\ProgramData\Criblinstead ofC:\Program Files\Cribl.
Retrieve Cribl.Cloud Credentials
On Cribl.Cloud, retrieve the Leader URI and Auth Token from your Cloud instance like this:
- Navigate to the Manage Edge Nodes page.
- From the Add/Update Edge Node control at upper right, select Bootstrap new.
- Select Add Windows.
- Copy the Leader hostname/IP value.
- The Leader Port field is
4200. - Display the Auth Token value, and copy/paste it into the installer. The Auth Token is required to enable communication between the Leader and Edge Node.
Use the MSI Installer
From the command line, you can install Cribl Edge as a single instance or as a Managed Node. See User Context and MSI Installer Options for important details regarding user accounts and installer settings.
Install Single-Instance/Standalone Cribl Edge
To run Edge locally, as a single-instance deployment on your own machine, enter the following at your command prompt for a silent install:
msiexec /qn /i cribl-<version>-<build>-<arch>.msi Next, go to http://localhost:9420 and log in with default credentials (admin:admin).
You can now start configuring Cribl Edge with Sources and Destinations, or start creating Routes and Pipelines.
Install Managed Edge Nodes
You can use the Leader UI to concatenate and copy/paste the bootstrap script for adding a Windows Node.
Or, to run Cribl Edge as a managed Node, enter the following at your command prompt for a silent install:
msiexec /qn /i cribl-<version>-<build>.msi MODE=mode-managed-edge HOSTNAME=<yourhostname> PORT=4200 AUTH=myAuthToken FLEET=myfleetTo set one or more environment variables during installation, use the SETENVVARS parameter with pipe-delimited key-value pairs. The entire string must be quoted:
msiexec /qn /i cribl-<version>-<build>.msi setenvvars="HTTP_PROXY=http://203.0.113.1:8080|HTTPS_PROXY=http://203.0.113.1:8080|CRIBL_DIST_WORKER_PROXY=socks5://203.0.113.1:1080|NODE_EXTRA_CA_CERTS=C:\Temp\mitmproxy-ca-cert.pem" MODE=mode-managed-edge HOSTNAME=<yourhostname> PORT=4200 AUTH=myAuthToken FLEET=myfleet The variable names and values cannot contain the pipe character ("|") as it’s used as the separator.
For Cribl Edge v.4.1.0 or later, use the flag KEEPDATA=1 to persist data between installs. KEEPDATA will not overwrite the existing configurations, state, logs, etc.
msiexec /qn /i cribl-<version>-<build>.msi KEEPDATA=1For prior versions, use the flag COPYDATA=1 to persist data between installs. COPYDATA copies the instance.yml file from C:\Program Files\Cribl to C:\ProgramData\Cribl.
You can now manage this node from the specified Leader.
For other parameter options, see the CLI Reference. Here is an example command:
msiexec /qn /i cribl-<version>-<build>.msi MODE=mode-managed-edge HOSTNAME=192.0.2.1 PORT=4200 AUTH=myAuthToken FLEET=myfleet COPYDATA=1MSI Installer Properties
Below is a comprehensive list of installer properties specific to the Cribl Edge MSI package, along with their descriptions. These properties allow you to customize your Cribl Edge installation when using the msiexec command.
| Installer Property | Description |
|---|---|
MODE | Sets the deployment mode for Cribl Edge. For example, use mode-managed-edge for a managed node. If not specified, a single-instance deployment is implied. |
HOSTNAME | Specifies the Leader’s hostname or IP address when installing Cribl Edge in mode-managed-edge. |
PORT | Specifies the Leader’s port when installing in mode-managed-edge. The default port is 4200. |
AUTH | Provides the authentication token required for the Edge Node to connect to the Leader. |
FLEET | Assigns the newly installed Edge Node to a specific Fleet within your Cribl deployment. |
SETENVVARS | Lets you define multiple environment variables for the installed Cribl Edge service. You pass a string of pipe-delimited KEY=VALUE pairs. This property injects environment variables into the service’s configuration at installation time. |
KEEPDATA (v4.1.0+) | When set to 1, this property instructs the installer to preserve existing configuration, state, and logs during an upgrade, ensuring your data is not overwritten. |
COPYDATA (pre-v4.1.0) | When set to 1, this property copies the instance.yml file from the old installation path to the new data location during an upgrade, helping to persist your configuration. |
USERNAME | Specifies the Windows account under which the Cribl Edge service will run. Examples include LocalSystem (the default) or a specific user account. |
PASSWORD | Specifies the login password for the above username, only valid when using a specific user account (not LocalSystem). |
APPLICATIONROOTDIRECTORY | Defines the installation directory for the Cribl Edge application binaries. This is where the core program files will be placed. |
VOLUMEDIR | Specifies a separate directory for Cribl Edge’s runtime data, including configurations, logs, and state information. This allows you to store data independently from the application binaries. |
Enable TLS After Installation
Some on-prem deployments don’t require secure (TLS) communication between the Leader and Edge Node. In these cases, the Managed Node will complete its configuration, followed by removing the admin/admin password. There will be no reason to locally log in, as you can manage the Edge Node via the Leader UI.
For sites using secure TLS connections to the Leader, including Cribl.Cloud, you must configure the local Edge Node to enable TLS. To do this:
- Log into your local instance (at
http://localhost:9420) with the default credentials (admin/admin). - Enable TLS locally. For details, see Secure Leader/Edge Nodes Communication.
- When prompted, restart your Cribl Edge instance.
- Locate the
instance.ymlfile in:- Cribl Edge v.4.0.X or earlier:
Program Files\cribl\local\_system. - Cribl Edge v. 4.1 or later:
C:\ProgramData\Cribl.
- Cribl Edge v.4.0.X or earlier:
To avoid this post-installation update for subsequent Windows installations to other servers, you can copy the instance.yml from this server. After the installation is complete, paste the instance.ymlfile into subsequent servers’ \Program Files\cribl\local\_system folder.
To connect each new Cribl Edge instance to this config file, you’ll need to either restart the Windows Server, or simply run the following commands as a Windows Administrator:
net stop cribl
net start criblAdd or Update a Windows Node
Using the Cribl Edge UI, you can add or update Windows Edge Nodes in your existing deployment.
For more information about adding or updating Edge Nodes, see Adding and Updating Edge Nodes.
To add or update a Windows Edge Node:
In your Cribl Edge instance, select Edge Nodes from the sidebar (you can also select Fleets).
Select Add/Update Edge Node then Windows > Add or Update.
Fill out the fields in the Add Windows Node window. The scripts update in real-time as you change the fields.
Add or update a Windows Edge Node Copy and paste the resulting bootstrap script into Windows Command Prompt or Powershell.
The result is a new Edge Node configured with the options you chose. You should see the Edge Node appear in the Edge Nodes list.
Log the Time of Installation
The Windows bootstrap script includes a log file with a string of zeros
(/l*v "%SYSTEMROOT%\Temp\cribl-msiexec-0000000000000.log"). You can replace the
zeros with an epoch timestamp (in milliseconds), to log when you first installed the Windows
Node.
For example, if you’re adding a Windows Node on October 4, 2024 at 6:07:44 PM Pacific Time,
update the log file in the script to /l*v "%SYSTEMROOT%\Temp\cribl-msiexec-1728090464000.log".
This log is included in the Cribl Edge diag, which is helpful for troubleshooting issues with Windows Node deployments.
When the Leader initiates an upgrade of Cribl Edge, the log file name will automatically include Linux epoch time in milliseconds as the timestamp.
Troubleshooting and Logging
Here are some helpful tips:
Set Logging Options
To debug .msi installation or upgrade issues, you can run msiexec.exe to set logging options. See Microsoft’s Logging Options topic.
Change the Installation Directory
If you want to change the installation directory, use the msiexec command APPLICATIONROOTDIRECTORY. For example:
msiexec.exe /i Cribl-Edge.msi APPLICATIONROOTDIRECTORY="C:\test\" /L*V "C:\Log\CriblInstall.log"If you’re using PowerShell to run the silent install, add two extra pairs of quotes to escape the command’s own quote delimiters. For example:
msiexec /i cribl-<version>-<build>.msi MODE=mode-managed-edge HOSTNAME=192.0.2.1 PORT=4200 AUTH=myAuthToken FLEET=myfleetChange the Data Directory Location
By default, Cribl Edge stores its runtime data in C:\ProgramData\Cribl. To move this data directory to a different location, use the VOLUMEDIR property during installation.
VOLUMEDIR specifies the runtime data location, not where application binaries are stored. If the directory doesn’t already exist, it will be created. This setting must be configured during the initial MSI installation or any subsequent upgrades. For example:
msiexec /qn /i cribl-<version>-<build>.msi VOLUMEDIR=D:\CriblData MODE=mode-managed-edge HOSTNAME=192.0.2.1 PORT=4200 AUTH=myAuthToken FLEET=myfleet KEEPDATA=1 This stores runtime data in D:\CriblData instead of the default C:\ProgramData\Cribl, while keeping application binaries in C:\Program Files\Cribl.
Frequently Asked Questions
Here are some common questions about Cribl Edge on Windows, and the answers!
Q: What is the nssm.exe process?
A: nssm.exe is a wrapper for the cribl.exe binary. It gives Windows Service
Manager the ability to manage an executable program without having to provide a
number of required binary APIs on the executable. So, instead of the cribl.exe
binary needing to provide the APIs, nssm.exe acts as an intermediary, providing
the necessary APIs itself and subsequently spawning cribl.exe as a child
process.
Q: Why is nssm.exe important?
A: The nssm.exe process ensures that Cribl Edge is stable and reliable on
Windows, both by booting up Cribl Edge and restarting it for you. With
the nssm.exe process running, Cribl Edge remains operational even if it closes
unexpectedly. While some antivirus software might flag nssm.exe due to its
monitoring and restart functionality, nssm.exe is a legitimate and essential
component of Cribl Edge.
High CPU utilization may appear shortly after launching Cribl Edge but is not necessarily related to
nssm.exe. We recommend waiting for Cribl Edge to fully boot and stabilize before checking CPU usage.
Q: What registry changes does a Cribl Edge installation make?
A: The Cribl Windows installer (MSI) uses the Windows Registry behind the scenes, but Cribl itself doesn’t need it to run. The installer uses the registry to set up the Cribl service and to remember your settings for future upgrades. Specifically, it uses these locations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Criblfor service definitionHKEY_LOCAL_MACHINE\SOFTWARE\Criblfor upgrade settings
The MSI installer uses the registry for installation and upgrades, but direct interaction is unnecessary, as Cribl manages its configuration through other means.