File open mode

Elastic Stack Beats
1

Hello,

While troubleshooting an issue on our Windows servers, we saw that Filebeat is opening files in read/write mode.

Should it be read only mode?
There's no reason to be other than readonly.

O:\Outils\SysinternalsSuite>tasklist | findstr fileb
filebeat.exe                  6024 Services                   0     75,816 K

O:\Outils\SysinternalsSuite>handle -a -u -p 6024 | findstr depot_journal
  2D0: File  (RWD)   D:\depot_journal\mpo-app\mpo-web2-cluster-ms2\det\acces.log
  2EC: File  (RWD)   D:\depot_journal\mpo-apppr\mpo-batch-cluster-ms1\mpo-com\application.log
  2F0: File  (RWD)   D:\depot_journal\mpo-app\mpo-web1-cluster-ms2\mpo-audit\acces.log
  318: File  (RWD)   D:\depot_journal\mpo-apppr\mpo-web1-cluster-ms2\mpo-portail\application.log
  354: File  (RWD)   D:\depot_journal\mpo-apppr\mpo-web1-cluster-ms2\mpo-audit\acces.log
  3A8: File  (RWD)   D:\depot_journal\mpo-app\mpo-web1-cluster-ms2\mpo-com\application.log
  3B4: File  (RWD)   D:\depot_journal\mpo-apppr\mpo-web2-cluster-ms2\mpo-identite\application.log
  3B8: File  (RWD)   D:\depot_journal\mpo-app\mpo-web2-cluster-ms2\set\application.log
  3C8: File  (RWD)   D:\depot_journal\mpo-app\mpo-web2-cluster-ms2\mpo-identite\application.log

Thanks,
Bruno

2

I can't seem to find any documentation as to where exactly the RWD data is coming from, but it looks to me like that is actually the dwShareMode parameter to CreateFile and not the dwDesiredAccess parameter.

Here's the Filebeat code showing that it requests only read access. https://github.com/elastic/beats/blob/11499e6c825618601adb801b9623fbfe0962d7fe/filebeat/input/file/file_windows.go#L93

3

@Bruno_Lavoie Any chance to confirm what @andrewkroh found above? I would also hope that this column is the share mode.

4

Yes, I just confirmed with ops and it's dwShareMode, because it appears that we can delete manually some of these files when not opened in exclusive mode by the logging library and in use by filebeat.
Thanks and sorry

5

This topic was automatically closed after 21 days. New replies are no longer allowed.