Bug for PR 749

biswajit86 · January 22, 2016, 7:31pm

Hi All,

PR 749 recently got merged to master . This PR implements support for command line options in topbeat.

However, I am unable to see command line options for child proceses. Some of our ancient perl scripts use ForkManager to fork child processes. In such cases, I do not see any value populated in command line options

andrewkroh · January 22, 2016, 7:46pm

What operating system are you running Topbeat on?

For my own sanity let me document how each OS works from looking at the source code in gosigar:

Windows - A WMI query is performed using the PID. In PowerShell you can do the query with: Get-WmiObject -Query "SELECT CommandLine from Win32_Process where ProcessID = <PID>". The same information is also visible in the Task Manager if you add Command Line as a column.
Linux - It reads the values from /proc/<pid>/cmdline. In a shell you can get the data with cat /proc/<pid>/cmdline
Mac OS X - It uses sysctl to get the process info.

biswajit86 · January 22, 2016, 8:14pm

I am running on RHEL 5.11

For the child proccesses, I see the proc.state value populated as zombie

Also, I do see the value in /proc//cmdline file.

andrewkroh · January 22, 2016, 8:52pm

So you have events where proc.state is zombie and proc.cmdline does not exist? Or is proc.cmdline present and set to an blank value? And for the same process, if you run cat /proc/<pid>/cmdline you see the command?

biswajit86 · January 22, 2016, 9:20pm

proc.cmdline does not exists
if I cat /proc//cmdline, I do see the commandline arguments in full

Topic		Replies	Views
How to log additional data for a given process such as "Command Line"? Beats	4	1414	July 5, 2017
Differenciate processes by their arguments Beats	3	923	July 5, 2017
Topbeat: See complete command line options Beats	2	933	July 5, 2017
Bug - Regex parsing for procs setting in topbeat.yml Beats	5	1100	July 5, 2017
Proc.name limited to 15 chars? Beats	5	4092	July 5, 2017

Bug for PR 749

Related topics