Execbeat is not outputting ps -ef|grep

Elastic Stack Beats
1

Hi,

I am using latest execbeat with ELK GA 5.0.0. I would like to know if certain process is running in my PC, say, Filebeat. Running the command ps -ef|grep filebeat returns the output;

mypc   688     1  0 Jan16 ?        00:21:17 ./filebeat -c beata.yml
mypc   696     1  0 Jan16 ?        00:31:45 ./filebeat -c beatb.yml

I have configured execbeat like this;

execbeat:
  execs:
    -
      cron: "@every 5s"
      command: ps -ef|grep
      args: filebeat
      document_type: execbeat
output.console:
  enabled: true
  pretty: true

but, when I execute it, i am getting the output like;

{
  "@timestamp": "2017-02-15T10:50:24.000Z",
  "beat": {
    "hostname": "mypc",
    "name": "mypc",
    "version": "2.1.1"
  },
  "exec": {
    "command": "ps -ef|grep",
    "stdout": ""
  },
  "type": "execbeat"
}

Why is this happening and how can I fix this?

Thank you.

2

What you've done won't work, and since the Execbeat's args option is a string that's passed as a single argument I'm not sure this can be worked around so easily except by creating a standalone script that runs the desired command. From what I can tell, running ps aux | grep filebeat just isn't possible with Execbeat.

If args had been a list of strings I would've suggested this:

command: bash
args:
  - -c
  - ps aux | grep filebeat
3

tried

execbeat:
  execs:
    -
      command: bash
      args:
        - -c
        - ps aux | grep filebeat
output.console:
  enabled: true
  pretty: true

got

Exiting: Error reading config file: can not convert 'object' into 'string' accessing 'execbeat.execs.0.args' (source:'execbeattest.yml')
4

Yes. As I said that won't work but it's what I would have suggested if Execbeat supported it. Create a standalone shell script and run that instead.

5

I created a .sh script and targeted execbeat to that, it works!