I really dislike running any service as root. But Edge needs to access files all over my system. Is there a way to address both requirements?
You can set the CAP_DAC_READ_SEARCH ability as with allowing sub 1024 port numbers. Run systemctl edit cribl-edgeand add the CAP_DAC_READ_SEARCH capability. Save the file and restart Cribl Edge:
systemctl edit cribl-edge
You could create facl rules to allow the user running Edge to various parts of the file system. There's really nothing stopping you from having that user access every location on disk, but it would be a fairly challenging facl to write.
To do this for the /var/log directory, you can run the following:
setfacl -m user<user>:rx /var/log
We have the method @Wayne Gillo is describing documented here:
You can find more details in the documentation -