These docs are for Cribl Edge 4.12 and are no longer actively maintained.
See the latest version (4.13).
Windows User Permissions and Requirements
This guide explains user context and MSI installer options for installing Cribl Edge on Windows, addressing potential issues related to user privileges and service accounts.
When installing Cribl Edge on Windows, it’s important to distinguish between two user accounts:
- Installer User: This is the user account under which you run the Cribl Edge installer (MSI). This user must have
administratorprivileges to install the software and create the Cribl Edge service. - Service Account: This is the user account under which the Cribl Edge service itself will run. This account needs appropriate permissions to access necessary APIs and perform its functions, including the ability to execute in-product upgrades.
LocalSystemis the default account.
Required Administrator Privileges
Ensure you launch the installer (MSI) from a command prompt or PowerShell window that is running with full administrator privileges. Simply being logged in as an administrator might not be sufficient; you need to explicitly Run as administrator.
Username Formats
When specifying a username during installation (For example, using the USERNAME parameter with the msiexec command), use the correct format. However, the default service account is LOCAL_SYSTEM, which does not require a username or password to be specified. Specifying a username and password is only necessary if you intend to run the service under a specific user account (which is generally discouraged).
Find the Correct Username
If you must use a specific user account, you can find the exact name:
- Open the Services Management console (
services.msc). - Locate the Cribl service.
- Go to the Log On tab of the service’s properties.
Selecting OK in the installer’s user prompt will show the resolved name, making it easier to enter.
The following is an example msiexec command using the recommended LOCAL_SYSTEM account (note the absence of USERNAME and PASSWORD parameters):
msiexec /i cribl-<version>-<build>.msi /qn MODE=mode-managed-edge HOSTNAME=yourLeader FLEET=yourFleet AUTH=YourTokenThe following example shows how to specify a user:
msiexec /i cribl-<version>-<build>.msi /qn MODE=mode-managed-edge HOSTNAME=yourLeader FLEET=yourFleet AUTH=YourToken USERNAME="domain\user" PASSWORD="your_user_password"Service Account Configuration Options
The following options are available for configuring the Cribl Edge service account.
- Local Administrator or Administrators Group (Not Recommended): You can configure Cribl Edge to run under the local
Administratoraccount or a local user who is a member of the localAdministratorsgroup. In such cases, the user must also be granted theLog on as a serviceprivilege. While possible, running as a specific user is generally discouraged due to the management overhead and potential security implications.
Storing passwords in configuration files or scripts poses a significant security risk. If these credentials are compromised, the system and potentially other resources accessible by that account could be vulnerable.
Passwordless Options
Instead of configuring a local Administrator account, you can configure Cribl Edge to run as:
Local System: Cribl Edge on Windows, by default, runs under the
LocalSystemaccount (also referred to asSYSTEM). This is a predefined system account with extensive privileges on the local machine. TheLocalSystemaccount has the requiredLog on as a serviceprivilege by default. It is a passwordless account, meaning it cannot be logged into interactively, and no password is associated with it.Managed Service Accounts (MSA/gMSA): For enhanced security in enterprise environments, we strongly recommend using Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) for the Cribl Edge service. These accounts provide automatic password management and improve security posture. Using a standard user account with a password for a service is discouraged. Refer to Microsoft’s documentation for details: Group Managed Service Accounts Overview.
User Requirements
To successfully run the Edge service under a specific user account or the Managed Service Accounts (MSA) the following requirements must be met.
Group Memberships
The user must be a member of the following groups:
- Event Log Readers
- Network Configuration Operators
- Performance Log Users
- Performance Monitor Users
- Users (default)
User Rights
The user must have the following rights, which can be assigned via Local Security Policy or Group Policy tools:
- Log on as a service
- Manage Auditing and Security Log
Folder Permissions
The user needs appropriate permissions for the Cribl Volume directory, C:\ProgramData\Cribl:
- If the folder does not exist: The user must have Write and Modify permissions for
C:\ProgramDatato create the folder and subdirectories. - If the folder already exists: Grant the user Full Control permissions for
C:\ProgramData\Cribl, ensuring permissions propagate to subfolders and files.
The command to Apply Permissions to existing folder (run as Administrator):
icacls "C:\ProgramData\Cribl" /inheritance:e /grant <User Name>:(OI)(CI)F /tTroubleshooting
If you encounter issues, check the Windows Event Viewer for error messages related to the installation or the Cribl Edge service. For detailed installer logs, use the /l*v logfile.txt option with the msiexec. Also, check the Cribl logs themselves for more application-specific information.