On This Page

Home / Edge/ Cribl Edge on Windows/Windows Troubleshooting

Windows Troubleshooting

When running Cribl Edge on Windows, you can encounter the following issues. Read on to find the proposed solutions.

For potential issues you can encounter during installation of Windows Edge Nodes, see Windows Installation Troubleshooting.

Windows Event Fields Configuration

If you’re encountering issues when collecting Windows events in both JSON and XML modes, it’s likely due to improper configurations. To resolve:

  1. Configure Windows events via XML format in Cribl Edge (recommended over JSON).
  2. Build a basic Pipeline/transformation to ensure all expected fields are present.
  3. Verify fields are in the desired format after processing.
  4. Consider implementing data reduction in your pipeline to optimize usage.

PowerShell Performance Issues with Windows Sources

PowerShell-based collection for System State, Windows Metrics, and Windows Event Log Sources is a legacy option that will be removed in a future release. We highly recommend keeping this option disabled and using the newer native capabilities.

To disable PowerShell-based collection:

  1. Upgrade to Cribl Edge 4.13.x or newer.
  2. Disable Advanced Settings > Use Windows Tools.

The optimized non-PowerShell collection methods provide better performance and reliable data ingestion.

CPU/Memory Issues on Windows

If you notice high CPU/Memory usage on your Windows Cribl Edge Nodes:

  • Create a Fleet dedicated to Windows Nodes, and constrain Windows Sources to that Fleet.

  • If you want to collect logs only, disable the Windows Metrics Source.

  • The Users and Groups collector in the System State Source can trigger high CPU utilization in the Windows lsass.exe process where there are many user accounts on the host. This is not uncommon on Domain Controllers. Consider disabling the User and Groups collector if you see that process consuming excessive CPU.

To optimize the Windows Event Logs Source:

  • During the Windows Event Log capture, run the collection for 10 seconds and tweak the settings if necessary so that collection doesn’t always have to catch up. Consider changing the Windows Events Log Batch Size and Frequency.

    Example command to capture a certain number of events:

    measure-command {Get-WinEvent -Oldest -MaxEvents 500 @{LogName='Security'} | ForEach-Object -Process {ConvertTo-Json -Compress $_}}

  • For Domain Controllers with heavy log volumes, consider using the Windows Event Forwarder and sending the logs to Cribl Stream, instead of using the Windows Event Log Source in Cribl Edge.

  • If you’re collecting Windows Events Logs in JSON format, you may experience disk space issues. You can either set XML as the event format on the Windows Events Logs Source, or upgrade Cribl Edge to v.4.8.x or newer and toggle off Use Windows Tools. See the Windows Event Logs Source topic for more details.