Event stopped process

holiveira · May 27, 2019, 10:56am

how to capture the status of the process when it is interrupted? I only have the status when it is running and sometimes I get a process status that has stopped.

Auditbeat 7.1.0 (Windows Server 2008 R2)
Elasticsearch 7.0.0 (Ubuntu Server 18.04 LTS)

cwurm · June 3, 2019, 7:50pm

Hi @holiveira - by "interrupted" do you mean stopped? The Auditbeat system/process dataset reports stopped processes (likely what you are seeing as a stopped process status - it's an event with event.action: process_stopped).

Can you post an example of a process start that does not have a corresponding process stop but you think it should? And provide your configuration as well?

holiveira · June 4, 2019, 11:42am

Hi @cwurm, yes I mean, stopped.

Configuration:

- module: system
  datasets:
    - process # Started and stopped processes
  state.period: 5s

processors:
- drop_event:
    when:
      not:
        regexp:
          process.name: "notepad.*"

I am monitoring only one process, in this case notepad.exe, in my understanding, when opening the notepad, should receive a process_started and in the course of time while the running process is receiving existing_process and when to stop the process receive the process_stopped.

What I've noticed is that existing_process occurs perfectly, but the process_started and process_stopped events do not occur.

I made a simulation, follows logs:

Auditbeat:

gist.github.com

https://gist.github.com/holiiveira/3ee5b6e97f496ba26ab5d0ec2dd4a428

auditbeat.log

2019-06-04T08:19:49.385-0300	INFO	instance/beat.go:571	Home path: [C:\Program Files\Auditbeat] Config path: [C:\Program Files\Auditbeat] Data path: [C:\ProgramData\auditbeat] Logs path: [C:\ProgramData\auditbeat\logs]
2019-06-04T08:19:49.389-0300	INFO	instance/beat.go:579	Beat ID: 2fcf4b76-f139-49a9-87e9-5a8c7c32fd65
2019-06-04T08:19:49.389-0300	INFO	[index-management.ilm]	ilm/ilm.go:129	Policy name: auditbeat-7.1.0
2019-06-04T08:19:49.389-0300	INFO	[beat]	instance/beat.go:827	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Auditbeat", "data": "C:\\ProgramData\\auditbeat", "home": "C:\\Program Files\\Auditbeat", "logs": "C:\\ProgramData\\auditbeat\\logs"}, "type": "auditbeat", "uuid": "2fcf4b76-f139-49a9-87e9-5a8c7c32fd65"}}}
2019-06-04T08:19:49.390-0300	INFO	[beat]	instance/beat.go:836	Build info	{"system_info": {"build": {"commit": "03b3db2a1d9d76fdf10475e829fce436c61901e4", "libbeat": "7.1.0", "time": "2019-05-15T23:57:38.000Z", "version": "7.1.0"}}}
2019-06-04T08:19:49.390-0300	INFO	[beat]	instance/beat.go:839	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.11.5"}}}
2019-06-04T08:19:49.409-0300	INFO	[beat]	instance/beat.go:872	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files\\Auditbeat\\auditbeat.exe", "name": "auditbeat.exe", "pid": 4420, "ppid": 560, "start_time": "2019-06-04T08:19:49.340-0300"}}}
2019-06-04T08:19:49.410-0300	INFO	instance/beat.go:280	Setup Beat: auditbeat; Version: 7.1.0
2019-06-04T08:19:49.411-0300	INFO	[publisher]	pipeline/module.go:97	Beat name: ts04
2019-06-04T08:19:49.427-0300	WARN	[cfgwarn]	process/process.go:128	BETA: The system/process dataset is beta

This file has been truncated. show original

In this example, my logstash processed 3 documents:

 "event": {
      "action": "existing_process",
      "dataset": "process",
      "id": "ebe2f666-09f0-42a8-9077-be59fa8d81d8",
      "module": "system",
      "kind": "state"
    }

"event": {
      "module": "system",
      "dataset": "process",
      "action": "existing_process",
      "id": "76f10fdd-5d5d-4aa8-bab4-06b490574dfe",
      "kind": "state"
    }

 "event": {
      "kind": "state",
      "dataset": "process",
      "action": "existing_process",
      "id": "88ba5d01-802d-414e-bc67-b66465e9033c",
      "module": "system"
    }

There was no process_started and no process_stopped.

cwurm · June 4, 2019, 4:08pm

Ok, I'm curious: If you increase state.period to something like 12h - do you then see process_started and process_stopped events?

holiveira · June 5, 2019, 12:32pm

Interesting, it worked perfectly.

system · June 26, 2019, 12:32pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Status of stopped process Beats metricbeat	3	660	May 14, 2019
Auditbeat 7.8.0 stuck: process running but no data sent to Elasticsearch Beats auditbeat	1	343	December 11, 2020
Auditbeat socket dataset doesn't correlate process info Beats auditbeat	5	426	February 10, 2021
Start process Winlogbeat Beats auditbeat	3	313	July 22, 2019
Auditbeat - Running as non-root user, will likely not report all processes Beats auditbeat	5	467	July 24, 2019

Event stopped process

Related topics