These docs are for Cribl Stream 4.4 and are no longer actively maintained.
See the latest version (4.14).
Deployment Planning
There are at least three key factors that will determine the type of Cribl Stream deployment in your environment:
- Amount of Incoming Data: This is defined as the amount of data planned to be ingested per unit of time. E.g., how many MB/s or GB/day? 
- Amount of Data Processing: This is defined as the amount of processing that will happen on incoming data. E.g., are there a lot of transformations, regex extractions, parsing functions, field obfuscations, etc.? 
- Routing and/or Cloning: Is most data going to a single destination, or is it being cloned and routed to multiple places? This is important because destination-specific serialization tends to be relatively expensive. 
These factors are covered in detail in Sizing and Scaling, and in our Architectural Considerations introduction to reference architectures.
Type of Deployment
- Use Cribl.Cloud to quickly launch a Cribl-hosted deployment of the combined Cribl applications suite (Stream, Edge, and Search). With this option, Cribl assumes responsibility for provisioning and managing all infrastructure, on your behalf. 
- Use Single-Instance/Basic Deployment when incoming data volume is low, and/or amount of processing is light. 
- Use Distributed Deployment to accommodate increased load. (See Sizing and Scaling for detailed guidance. See Bootstrap Workers from Leader to streamline Workers’ deployment via scripting.) 
OS and System Requirements
Leader and Worker Nodes should have sufficient CPU, RAM, network, and storage capacity to handle your specific workload. It’s very important to test this before deploying to production.
In the table below, we assume that 1 physical core is equivalent to 2 virtual/hyperthreaded CPUs (vCPUs). This corresponds to Intel/Xeon or AMD processors. On Graviton2/ARM64 processors, where 1 core is equivalent to 1 vCPU – but with higher capacity – sizing can be slightly different. For details, see Sizing and Scaling and Requirements.
Although the table shows only tested distro’s, Cribl Stream’s general requirements are 64-bit Linux kernel >= 3.10 and glibc >= 2.17.
| Requirement Type | Requirements Details | 
|---|---|
| Minimum Leader and Worker Nodes. | OS: Linux: Ubuntu 16.04, Debian 9, RHEL 7+, CentOS Linux 7, 8, or CentOS Stream 9, SUSE Linux Enterprise Server 12, Amazon Linux 2 System: +4 physical cores, +8 GB RAM, 5 GB free disk space (more if persistent queuing is enabled on Workers) | 
| Recommended Leader Node | OS: Linux: Ubuntu 16.04, Debian 9, RHEL 7+, CentOS Linux 7, 8, or CentOS Stream 9, SUSE Linux Enterprise Server 12, Amazon Linux 2 System: +4 physical cores, +8 GB RAM, 5 GB free disk space | 
| Recommended Worker Nodes | OS: Linux: Ubuntu 16.04, Debian 9, RHEL 7+, CentOS Linux 7, 8, or CentOS Stream 9, SUSE Linux Enterprise Server 12, Amazon Linux 2 System: +8 physical cores, +32 GB RAM, 5 GB free disk space. | 
Browser Requirements
Most modern browsers will work, but Cribl Stream formally supports the five most-recent versions of Chrome, Firefox, Safari, and Microsoft Edge.
Port Requirements
See Ports for detailed information of ports which need to be open for Cribl Stream and its intergrations to work.
FIPS Mode Requirements
Federal Information Processing Standards FIPS is a set of US government standards and guidelines for information security. You can deploy Cribl Stream in FIPS mode. This mainly restricts the cryptographic algorithms used within Cribl Stream, and also enforces stricter password requirements.
In Cribl Stream version 4.4.4, FIPS mode is a beta feature that can be enabled in Customer Managed deployments.
To run Cribl Stream in FIPS mode, your environment must satisfy the system and password requirements described here.
Cluster Installation/Configuration Checklist
This section compiles basic checkpoints for successfully launching a distributed cluster.
1. Provision Hardware
- 1 Leader Node (see specs/requirements in OS and System Requirements above).
- 4 Worker Nodes (see specs/requirements in OS and System Requirements above).
- Acquire an evaluation (Sales Trial) License from the Cribl Sales Team.
2. Configure Leader Node
- Install gitif not present (e.g.,yum install git).
- Open the necessary ports.
- Download, Install, and Launch Cribl.
- Enable Start at Boot.
- Configure as a Leader.
- Confirm Worker Processes Settings at -2(via Settings > Global Settings > System > Manage Processes).
- Install License.
- Change the default auth token value.
3. Configure Worker Nodes
- Enable GUI Access. Administrators will need to connect to the TCP:9000 port on each Node.
- Download, Install, and Launch Cribl.
- Enable Start at Boot.
- Configure as a Worker. (Give each Worker the (arbitrary) tag POV.)
- Confirm Worker Processes Settings at -2(via Settings > Global Settings > System > Manage Processes).
- Install License.
4. Map Workers to Groups
- On the Leader Node, create a Worker Group.- Name the Worker Group (arbitrarily) POV.
 
- Name the Worker Group (arbitrarily) 
- On the Leader Node, confirm that workers are connecting.- From the Leader Node’s top menu, select Workers.
 
- Map Workers to devWorker Groups.- Use the Filter: cribl.tags.includes('POV').
 
- Use the Filter: 
5. Other
If you will be using Cribl Stream’s GeoIP enrichment feature, install the MaxMind database onto the Cribl Stream Leader and all Worker Nodes.