I start my packetbeat by docker-compose, and tring to use add_process_metadata to add process.pid to the packet data. But I failed, the process.pid is always empty.
I use following docker-compose to start the packetbeat
version: "3.8"
networks:
default:
name: elastic
external: false
packetbeat:
image: docker.elastic.co/beats/packetbeat:${STACK_VERSION}
user: packetbeat
volumes:
- "./packetbeat.yml:/usr/share/packetbeat/packetbeat.yml:ro"
- "/proc:/hostfs/proc:ro"
cap_add:
- NET_RAW
- NET_ADMIN
network_mode: host
command:
- --strict.perms=false
And the be like packetbeat.yml
output:
elasticsearch:
hosts:
- 172.18.1.111:9200
protocol: http
packetbeat:
flows:
period: 10s
timeout: 30s
interfaces:
device: any
protocols:
- enabled: true
type: icmp
- ports:
- 80
type: http
......
processors:
- add_process_metadata:
match_pids:
- process.pid
host_path: /hostfs
Can someone give me some suggestion?