These docs are for Cribl Edge 4.2 and are no longer actively maintained.
See the latest version (4.14).
Using ACLs to Allow Cribl Edge to Read Files
Running Cribl Edge as an unprivileged user is a best practice. However, without modifying the default Linux permissions, you will run into issues in accessing files owned by other users.

Linux systems allow you to layer an Access Control List (ACL) on top of the default Linux permission set. With ACLs, you can apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions. For details, see Introduction to ACLs.
As an example, you might want to read data from the /var/log directory. This directory is typically owned by the root user, with a permission set of 750 on the directory. This means the cribl user will not be able to read or list the files in the directory, because the Other group has zero permissions.
To achieve compliance with benchmarks such as CIS or NIST, we can use the ACLs to grant the cribl group access to this folder and any files, without disturbing the current permissions.
CIS Benchmark 4.2.3
Make sure that permissions are configured on all log files. Log files must have the correct permissions to ensure that sensitive data is archived and protected.
Other/worldshould not have the ability to view this information.Groupshould not have the ability to modify this information.
To accomplish this, we can grant the cribl group read and execute access to the files and directories inside /var/log, by running this command:
setfacl -Rm g:cribl:r-X /var/logBreaking down the command’s options':
- -R: Recursive
- -m: Modify
- g:cribl=- criblgroup, this could be- u:criblif you wanted to limit to the- cribluser.
- r-X: Read and execute. Capital- Xmeans execute only on directories.
This modifies only the current files in the directory, if you want the appropriate ACL applied to any future files created here, add the -d flag (for default):
setfacl -Rdm g:cribl:r-X /var/logNow, any rotated or created files will apply the ACL set.
Checking the ACLs
To verify the ACLs on a file or directory, run the following command:
getfacl <file or folder>This will output a listing of the applied ACLs, including the directory’s defaults:
$ getfacl /<directory>
# file: <file>
# owner: <owner>
# group: <group>
user::rwx
group::rwx
other::---
default:user::rwx
default:user:<user>:rwx
default:group::rwx
default:mask::rwx
default:other::---Installing ACL Utilities
The ACL utilities might not be installed, by default, on the OS. For example, on Ubuntu (Debian-based) systems, you will need to install the acl package. For Debian-based tools using apt:
apt install aclFor Red Hat-based tools using yum:
yum install acl