Collecting and processing logs, metrics, and application data from endpoints have caused many ITOps and SecOps engineers to go gray sooner than they would have liked. Delivering observability data to its proper destination from Linux and Windows machines, apps, or microservices is way more difficult than it needs to be.
We created Cribl Edge to save the rest of that beautiful head of hair of yours. Edge offers automatic discovery of host, container, and application data on endpoints and gives users extra processing power with its functions and pipelines. The user-friendly UI allows you to explore, preview, and build configs before forwarding data to any of the many supported destinations.
We’ve made it easy to set up and even easier to manage. Here’s how to get started with Cribl Edge on Windows servers, Linux servers, and Kubernetes using the Helm Chart — and how to upgrade and manage fleets and subfleets.
To deploy Cribl Edge onto a Windows Server, start by selecting View All Fleets in your Cribl Edge dashboard. Click on Edge Nodes, then the Add/Update Edge Node button and choose Windows > Add from the drop-down menu.
Choose the Windows subfleet from the fleet drop-down and copy the pre-built script to the clipboard. Paste the command into the PowerShell window on your Windows machine — it will automatically download the MSI installer from the Cribl content delivery network and apply the appropriate configuration.
You can refresh the nodes in the Edge dashboard to show that the Windows host has been deployed with a Cribl Edge agent installed. View the host information by selecting the teleport link and using the Explore tab or see the processes running on the machine, browse the file system to see logs, and see file systems, DNS routes, network interfaces, users, and other information about the host itself.
After you collect some Windows event logs, you can preview them as they would be sent to a destination. Information is written in JSON, and files can be easily saved as samples to build pipelines for forwarding logs to your configured destinations.
To install Cribl Edge onto a Linux server using the bootstrap command functionality inside the Cribl leader UI, you’ll start the same way by selecting View All Fleets in your Cribl Edge dashboard. Click the Edge Nodes tab at the top, then the Add/Update Edge Node button, and choose Linux and Add from the drop-down.
A pre-populated list of settings will show for the installer — select Linux from the Fleet drop-down, enter a user, then copy the command to your clipboard. Switch to the terminal, paste the command, and then run the bootstrap. The download, set up to run under systemd, will begin automatically and then start the service.
The new Edge Node will download its initial configuration and appear in the Cribl leader UI when you refresh the list. The blue link will teleport you to the machine to explore running processes, additional metadata, browse the file system, and view the health of the system.
To deploy Cribl Edge onto a Kubernetes fleet, use the Helm chart from the Cribl GitHub repository. Create a Kubernetes fleet if you haven’t already, then go to the Edge Nodes tab at the top of the dashboard, click on the Add/Update Edge Node drop-down, and select Kubernetes from the drop-down.
Choose the Kubernetes fleet and copy the pre-populated command. Paste the command in your terminal. Refresh your nodes in the Cribl Edge dashboard, and you’ll see the three nodes in the Kubernetes cluster with three Cribl Edge nodes. Now that the config version has been deployed, you can collect Kubernetes, events, logs, and metrics. If no logs appear, apply a noise generator pod in the Kubernetes cluster — Cribl Edge will automatically detect the new pod and start streaming the logs to the configured destinations. If you run into any issues, enter “kubectl get pods -n cribl” to get the pod information and create the containers on the Kubernetes cluster.
Upgrading Cribl Edge Nodes from the leader UI is as easy as a few clicks. In the Edge Nodes tab under View All Fleets, you’ll be able to see if any of them are out of date. If the version of Cribl listed is not matching the leader version, navigate to the Settings tab at the top and click on the gear icon to the right of the red Upgrade button.
This reveals properties for upgrading the fleet — you can choose the quantity, the percentage of agents upgraded, opt into a rolling upgrade, and select retry options if the upgrade fails. After you select the Upgrade button, the Edge Node will download the software. You can confirm the changes by navigating back to the Manage tab and selecting Edge Nodes.
The Cribl Edge UI also comes with the ability to manage multiple fleets through the use of subfleets, giving you the flexibility to group Edge Nodes into easy-to-share and reuse configurations. You can organize your fleets and subfleets into a hierarchy of configuration layers based on organizational, geographical, data center, or OS considerations.
Group Edge Nodes with basic configurations like common logging locations, metrics, sources, and destinations at the Fleet level, or group Edge Nodes at the Subfleet level to pick up configurations specific to the applications and services that are running on the Nodes. Updates to a Fleet can be applied to all Subfleets and their respective Edge Nodes, reducing the time and effort needed to manage them.
Our Cribl Edge Docs have more detailed information on how to install and manage Cribl Edge on Windows, Linux, or Kubernetes.
We’re on a mission to make open observability a reality for today’s tech professionals with tools that give you radical levels of choice and control — check out the Cribl YouTube channel for more videos that will help you get the most out of your observability and security infrastructure. If you want to try out Cribl Edge today, create a free Cribl.Cloud account to get started immediately!