Windows User Permissions and Requirements
Learn what user accounts and administrator privileges you need to run Cribl Edge on Windows.
When installing Cribl Edge on Windows, it’s important to distinguish between two user accounts:
- Installer User: This is the user account you use to run the Cribl Edge installer (MSI). This user must have
administratorprivileges to install the software and create the Cribl Edge service. - Service Account: This is the user account the Cribl Edge service runs under. This account needs appropriate permissions to access your data and APIs, as well as
administratorprivileges to allow the Leader to perform remote Edge Node upgrades across a Fleet.LocalSystemis the default account.
Required Administrator Privileges
Ensure you launch the installer (MSI) from a command prompt that is running with full administrator privileges. Simply being logged in as an administrator might not be sufficient; you need to explicitly Run as administrator.
Service Account Configuration
You have three options to choose from when selecting the service account to run Cribl Edge as:
two passwordless options (LocalSystem and MSA/gMSA), and local user.
LocalSystem: Cribl Edge on Windows, by default, runs under the
LocalSystemaccount (also referred to asSYSTEM). This is a predefined system account with extensive privileges on the local machine. TheLocalSystemaccount has the requiredLog on as a serviceprivilege by default. It is a passwordless account, meaning it cannot be logged into interactively, and no password is associated with it.Managed Service Accounts (MSA/gMSA): You can use Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) for the Cribl Edge service. These accounts provide automatic password management and improve security posture. MSA/gMSA are passwordless options. Refer to Microsoft documentation for details: Group Managed Service Accounts Overview.
Local user: You can configure Cribl Edge to run under a local user. If you need to run Leader-initiated Edge Node upgrades in a Fleet, add this user to the
Administratorsgroup. In such cases, the user must also be granted theLog on as a serviceprivilege.
Avoid storing passwords in scripts or config files. Exposed credentials jeopardize the local system and any networked resources accessible by that account.
Service Account Username and Password
During installation, you need to specify the username (and in some cases, the password) for the service account.
You can do it, for example, by using the USERNAME and PASSWORD parameters with the msiexec command.
One exception is the default service account, LocalSystem, which does not require a username or password to be specified.
The following is an example msiexec command using the LocalSystem account (note the absence of USERNAME and PASSWORD parameters):
msiexec /i cribl-<version>-<build>.msi /qn ^
MODE=mode-managed-edge ^
HOSTNAME=<leaderHostname> ^
FLEET=<fleetName> ^
AUTH=<authToken>Username with gMSA
Using gMSA requires specifying the username (in the full form of domain\gmsaAccountName$),
but not password, as gMSA is a passwordless option.
To install Edge and run the service under a gMSA, you can use the following command:
msiexec /i cribl-<version>-<build>.msi /qn ^
MODE=mode-managed-edge ^
HOSTNAME=<leaderHostname> ^
FLEET=<fleetName> ^
AUTH=<authToken> ^
USERNAME=<domain\gmsaAccountName$>Username with a Local User
When running as a local user, selecting OK in the installer’s user prompt will show the resolved user name. Alternatively, you can find the exact username in the following way:
- Open the Services console (
services.msc). - Locate the Cribl service.
- Open the service properties and check the Log On tab, which shows the name of the user the service runs as.
The following example shows how to specify the local user name and password:
msiexec /i cribl-<version>-<build>.msi /qn ^
MODE=mode-managed-edge ^
HOSTNAME=<leaderHostname> ^
FLEET=<fleetName> ^
AUTH=<authToken> ^
USERNAME=<domain\user> ^
PASSWORD=<password>User Requirements
To successfully run the Edge service under a specific user account, Managed Service Accounts (MSA), or Group Managed Service Accounts (gMSA), the following requirements must be met.
Group Memberships
The user must be a member of the following groups:
- Event Log Readers
- Network Configuration Operators
- Performance Log Users
- Performance Monitor Users
- Users (default)
User Rights
The user must have the following rights, which can be assigned via Local Security Policy or Group Policy tools:
- Log on as a service
- Manage Auditing and Security Log
Service Accounts and Edge Node Upgrades
When you upgrade Windows Edge Nodes in a Fleet (by setting a target software version), the upgrade is performed by running the MSI installer in the background. If the service account that runs the upgrade does not have administrator permissions, the installer will fail with an “Access Denied” error.
When you run the Cribl Edge service as LocalSystem (default),
you can run upgrades in a Fleet without additional steps,
because LocalSystem already has the required permissions to perform upgrades.
To run a Fleet upgrade with MSA/gMSA, add the account to the local administrators group. Configuring MSA/gMSA as an administrator lets you run Edge Node upgrades, but also grants broader privileges to the service account. If you want to avoid it, keep the MSA/gMSA as a non-admin service account and perform Edge upgrades manually. See Upgrade Edge Nodes Manually for information on how to do it.
Troubleshooting
If you encounter issues, check the Windows Event Viewer for error messages related to the installation or the Cribl Edge service. For detailed installer logs, use the /log logfile.txt option with msiexec. Also, check the Cribl logs themselves for more application-specific information.