Configure your antivirus to prevent accidental blockage of Cribl Edge.

If you are running anti-virus software on an Edge instance’s host OS, here are general guidelines for minimizing accidental blockage of Edge’s normal operation.

Your overall goals are to prevent the anti-virus software from locking any files while Edge needs to write to them, and from triggering any changes that Edge would detect as needing to be committed.

First, if persistent queues are enabled on any Destinations, exclude any directories that these Destinations write to. This is especially relevant if you’re writing queues to any custom locations outside of $CRIBL_HOME.

Next, for any non-streaming Destinations that you’ve configured, exclude their staging paths.

Next, exclude these subdirectories of $CRIBL_HOME:

• state/
• log/
• .git/ (usually only exists on Leader Nodes)
• groups/ (on Leader Nodes)
• local/ (on Edge or Leader)

Finally, avoid scanning any processes. Except for the queueing/staging directories already listed above, Edge runs everything in memory, so scanning process memory will slow down Edge’s processing and reduce throughput.

Stop Endpoint Security from Blocking Edge on Windows

​

Antivirus or other endpoint security tools on Windows (such as Windows Defender) may block the cribl process.

To tell Windows Defender to exclude the Cribl Edge process from its security scan, you can run these commands on the appropriate Windows Edge Nodes:

Add-MpPreference -ExclusionProcess "C:\Program Files\Cribl\bin\nssm.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\Cribl\bin\cribl.exe"
Add-MpPreference -ExclusionPath "C:\ProgramData\Cribl"