Error getting details for process

Elastic Security Endpoint Security
1

I am seeing quite a few log entries like this. The Endpoint agent is running as the local system account.

{
  "@timestamp": "2020-10-22T17:46:14.800Z",
  "message": "Error getting details for process services.exe with pid=792: error getting process mem for pid=792: OpenProcess failed for pid=792: Access is denied.",
  "log": {
    "logger": "processes",
    "level": "debug",
    "offset": 2495650,
    "file": {
      "path": "C:\\Temp\\elastic-agent-7.9.2-windows-x86_64\\data\\logs\\default\\metricbeat-json.log"
    },
    "origin": {
      "file": {
        "name": "process/process.go",
        "line": 486
      }
    }
  },
  "input": {
    "type": "log"
  },
  "data_stream": {
    "type": "logs",
    "dataset": "elastic.agent.metricbeat",
    "namespace": "default"
  },
  "host": {
    "architecture": "x86_64",
    "name": "pc-xxxxx",
    "os": {
      "platform": "windows",
      "version": "10.0",
      "family": "windows",
      "name": "Windows 10 Pro",
      "kernel": "10.0.18362.1082 (WinBuild.160101.0800)",
      "build": "18363.1082"
    },
    "id": "d6b7e18d-bda8-4bab-9de2-a6583f8ca867",
    "ip": [
      "fe80::c01e:9b27:7b61:79e5",
      "x.x.x.x"
    ],
    "mac": [
      "14:dd:a9:25:0a:d0"
    ],
    "hostname": "pc-xxxxx"
  },
  "agent": {
    "ephemeral_id": "d229b56b-cf18-4e9b-9e9d-373e74671c41",
    "id": "a260d063-8c1b-4ee7-846b-af720510c026",
    "name": "pc-xxxxx",
    "type": "filebeat",
    "version": "7.9.2",
    "hostname": "pc-xxxxx"
  },
  "ecs": {
    "version": "1.5.0"
  },
  "event": {
    "dataset": "elastic.agent.metricbeat"
  },
  "_index": ".ds-logs-elastic.agent.metricbeat-default-000001",
  "_type": "_doc",
  "_id": "KqZrUXUB5sRTZ5HGHdYK",
  "_score": 1
}

thoughts?

thanks,
Geoff

2

Hi ya' there Geoff,

I think this is out of my realm of knowledge but I did some searching around and found this ticket here which looks close to what you're seeing currently:

3

thanks @Frank_Hassanabad

When I look through those bugs, it doesn't appear to actually have a fix.

Maybe I am missing something.

4

I'm not familiar in this area (so I might say something totally wrong) but it's looking like you're using metric beat and not having sufficient privileges to access some details of a particular process.

If so, the remedy would be to give your agent the correct privileges to allow it to access the details you want?