Deployment Planning
There are at least three key factors that will determine the type of Cribl Stream deployment in your environment:
Amount of Incoming Data: This is defined as the amount of data planned to be ingested per unit of time. E.g., how many MB/s or GB/day?
Amount of Data Processing: This is defined as the amount of processing that will happen on incoming data. E.g., are there a lot of transformations, regex extractions, parsing functions, field obfuscations, etc.?
Routing and/or Cloning: Is most data going to a single destination, or is it being cloned and routed to multiple places? This is important because destination-specific serialization tends to be relatively expensive.
These factors are covered in detail in Sizing and Scaling, and in our Architectural Considerations introduction to reference architectures.
Type of Deployment
Use Cribl.Cloud to quickly launch a Cribl-hosted deployment of the combined Cribl applications suite (Stream,
Edge, and 
Search). With this option, Cribl assumes responsibility for provisioning and managing all infrastructure, on your behalf.Use Single-Instance/Basic Deployment when incoming data volume is low, and/or amount of processing is light.
Use Distributed Deployment to accommodate increased load. (See Sizing and Scaling for detailed guidance. See Bootstrap Workers from Leader to streamline Workers’ deployment via scripting.)
OS and System Requirements
Leader and Worker Nodes should have sufficient CPU, RAM, network, and storage capacity to handle your specific workload. It’s very important to test this before deploying to production.
In the table below, we assume that 1 physical core is equivalent to 2 virtual/hyperthreaded CPUs (vCPUs). This corresponds to Intel/Xeon or AMD processors. On Graviton2/ARM64 processors, where 1 core is equivalent to 1 vCPU – but with higher capacity – sizing can be slightly different. For details, see Sizing and Scaling and Requirements.
Although the table shows only tested distro’s, Cribl Stream’s general requirements are 64-bit Linux kernel >= 3.10 and glibc >= 2.17.
| Requirement Type | Requirements Details |
|---|---|
| Minimum Leader and Worker Nodes. | OS: Linux: Ubuntu 16.04, Debian 9, RHEL 7, CentOS Linux 7, 8, or CentOS Stream 9, SUSE Linux Enterprise Server 12, Amazon Linux 2 System: +4 physical cores, +8GB RAM, 5GB free disk space (more if persistent queuing is enabled on Workers) |
| Recommended Leader Node | OS: Linux: Ubuntu 16.04, Debian 9, RHEL 7, CentOS Linux 7, 8, or CentOS Stream 9, SUSE Linux Enterprise Server 12, Amazon Linux 2 System: +4 physical cores, +8GB RAM, 5GB free disk space |
| Recommended Worker Nodes | OS: Linux: Ubuntu 16.04, Debian 9, RHEL 7, CentOS Linux 7, 8, or CentOS Stream 9, SUSE Linux Enterprise Server 12, Amazon Linux 2 System: +8 physical cores, +32GB RAM, 5GB free disk space. |
Browser Requirements
Most modern browsers will work, but Cribl Stream formally supports the five most-recent versions of Chrome, Firefox, Safari, and Microsoft Edge.
Port Requirements
See Ports for detailed information of ports which need to be open for Cribl Stream and its intergrations to work.
FIPS Mode Requirements
Federal Information Processing Standards FIPS is a set of US government standards and guidelines for information security. You can deploy Cribl Stream in FIPS mode. This mainly restricts the cryptographic algorithms used within Cribl Stream, and also enforces stricter password requirements.
See the FIPS Mode topic for system and password requirements, and instructions for running in FIPS mode.
Once Cribl Stream has been started without FIPS mode enabled, you cannot put it into FIPS mode. You must enable FIPS mode as described here, after installing but before starting Cribl Stream.
Cluster Installation/Configuration Checklist
This section compiles basic checkpoints for successfully launching a distributed cluster.
1. Provision Hardware
- 1 Leader Node (see specs/requirements in OS and System Requirements above).
- 4 Worker Nodes (see specs/requirements in OS and System Requirements above).
- Acquire an evaluation (Sales Trial) License from the Cribl Sales Team.
2. Configure Leader Node
- Install
gitif not present (e.g.,yum install git). - Open the necessary ports.
- Download, Install, and Launch Cribl.
- Enable Start at Boot.
- Configure as a Leader.
- Confirm Worker Processes Settings at
-2(via Settings > Global Settings > System > Manage Processes). - Install License.
3. Configure Worker Nodes
- Enable GUI Access. Administrators will need to connect to the TCP:9000 port on each Node.
- Download, Install, and Launch Cribl.
- Enable Start at Boot.
- Configure as a Worker. (Give each Worker the (arbitrary) tag
POV.) - Confirm Worker Processes Settings at
-2(via Settings > Global Settings > System > Manage Processes). - Install License.
4. Map Workers to Groups
- On the Leader Node, create a Worker Group.
- Name the Worker Group (arbitrarily)
POV.
- Name the Worker Group (arbitrarily)
- On the Leader Node, confirm that workers are connecting.
- From the Leader Node’s top menu, select Workers.
- Map Workers to
devWorker Groups.- Use the Filter:
cribl.tags.includes('POV').
- Use the Filter:
5. Other
If you will be using Cribl Stream’s GeoIP enrichment feature, install the MaxMind database onto the Cribl Stream Leader and all Worker Nodes.