Auditbeat - Running as non-root user, will likely not report all processes


Trying out the process module for auditbeat on Windows. Seeinq the following message:

|2019-07-01T14:02:55.289+0200|WARN|[cfgwarn]|process/process.go:131|BETA: The system/process dataset is beta|
|2019-07-01T14:02:55.306+0200|DEBUG|[process]|process/process.go:168|Last state was sent at 2019-07-01 09:01:25.3942751 +0200 CEST. Next state update by 2019-07-01 21:01:25.3942751 +0200 CEST.|
|2019-07-01T14:02:55.306+0200|WARN|[process]|process/process.go:174|Running as non-root user, will likely not report all processes.|

As auditbeat is running as SYSTEM, it should have all the required permissions to list all processes.. Is this a bug (where auditbeat think it's running on Linux and checking for root privilege?)


Hi Willem, thanks for reaching out. Do you see those errors when running auditbeat as a Windows service (Start-Service auditbeat), or are you starting auditbeat manually (./auditbeat -e)?


Hi @willemdh - that's a bug, we should not be showing this warning on Windows. I'll get it fixed, but it shouldn't have any impact on what data is collected.

Thanks, I'll ignore for now. By the way, we noticed auditbeat has crashed several times since enabling the host and process metricset on WIndows Server 2012 R2 and 2016. Enabled debug, but nothing is logged which could point to the root cause.


The problematic module on Windows Server 2012 R2 is:

- module: system
    - process
  period: 1s


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.