Metricbeat Windows Not Finding any file systems to report. "The system cannot find the file specified."

sdf301 · November 4, 2019, 2:16am

I am trying to install it on a Windows system (Windows 10 Pro). I got the service to start running and it's even sending output over to Kibana. Unfortunately, it isn't finding any file systems to report on.

E, L, K, & Metricbeat are all on version 7.4

Here's the system.yml file (almost straight out of the box):

- module: system
  period: 10s
  metricsets:
    - cpu
    #- load
    - memory
    - network
    - process
    - process_summary
    - socket_summary
    #- entropy
    #- core
    #- diskio
    #- socket
  process.include_top_n:
    by_cpu: 5      # include top 5 processes by CPU
    by_memory: 5   # include top 5 processes by memory

- module: system
  period: 1m
  metricsets:
    - filesystem
    - fsstat
#  processors:
#  - drop_event.when.regexp:
#      system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)'

- module: system
  period: 15m
  metricsets:
    - uptime

#- module: system
#  period: 5m
#  metricsets:
#    - raid
#  raid.mount_point: '/'

Here's the output from the Metricbeat log file:

2019-11-03T19:46:10.424-0600	INFO	instance/beat.go:607	Home path: [C:\program files\metricbeat] Config path: [C:\program files\metricbeat] Data path: [C:\ProgramData\metricbeat] Logs path: [C:\ProgramData\metricbeat\logs]
2019-11-03T19:46:10.428-0600	INFO	instance/beat.go:615	Beat ID: d4e03197-8725-4b4f-8059-f6d7c6c53858
2019-11-03T19:46:10.455-0600	INFO	[beat]	instance/beat.go:903	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\program files\\metricbeat", "data": "C:\\ProgramData\\metricbeat", "home": "C:\\program files\\metricbeat", "logs": "C:\\ProgramData\\metricbeat\\logs"}, "type": "metricbeat", "uuid": "d4e03197-8725-4b4f-8059-f6d7c6c53858"}}}
2019-11-03T19:46:10.460-0600	INFO	[beat]	instance/beat.go:912	Build info	{"system_info": {"build": {"commit": "15075156388b44390301f070960fd8aeac1c9712", "libbeat": "7.4.2", "time": "2019-10-28T19:49:39.000Z", "version": "7.4.2"}}}
2019-11-03T19:46:10.460-0600	INFO	[beat]	instance/beat.go:915	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.12.9"}}}
2019-11-03T19:46:10.475-0600	INFO	[beat]	instance/beat.go:919	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-11-02T13:54:25.52-05:00","name":"XXXXXXX","ip":["XXX.XXX.XXX.XXX/24","XXXX::XXXX:XXXX:XXXX:XXXX/64","XXX.XXX.XXX.XXX/16","XXXX::XXXX:XXXX:XXXX:XXXX/64","XXX.XXX.XXX.XXX/16","XXXX::XXXX:XXXX:XXXX:XXXX/64","XXXX.XXXX.XXXX.XXXX/16","XXXX::XXXX:XXXX:XXXX:XXXX/64","XXX.XXX.XXX.XXX4/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.18362.418 (WinBuild.160101.0800)","mac":["10:05:01:48:9e:18","0c:54:15:fc:1f:7f","0c:54:15:fc:1f:80","0e:54:15:fc:1f:7f","0c:54:15:fc:1f:83"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"18362.418"},"timezone":"CST","timezone_offset_sec":-21600,"id":"dfab0da7-da8c-4d61-b7cb-d855f144c284"}}}
2019-11-03T19:46:10.477-0600	INFO	[beat]	instance/beat.go:948	Process info	{"system_info": {"process": {"cwd": "C:\\WINDOWS\\system32", "exe": "C:\\Program Files\\Metricbeat\\metricbeat.exe", "name": "metricbeat.exe", "pid": 14228, "ppid": 980, "start_time": "2019-11-03T19:46:02.761-0600"}}}
2019-11-03T19:46:10.477-0600	INFO	instance/beat.go:292	Setup Beat: metricbeat; Version: 7.4.2
2019-11-03T19:46:10.477-0600	INFO	[index-management]	idxmgmt/std.go:178	Set output.elasticsearch.index to 'metricbeat-7.4.2' as ILM is enabled.
2019-11-03T19:46:10.477-0600	INFO	elasticsearch/client.go:170	Elasticsearch url: http://192.168.200.54:9200
2019-11-03T19:46:10.477-0600	INFO	[publisher]	pipeline/module.go:97	Beat name: XXXXXX
2019-11-03T19:46:10.478-0600	INFO	instance/beat.go:422	metricbeat start running.
2019-11-03T19:46:10.478-0600	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2019-11-03T19:46:10.478-0600	INFO	cfgfile/reload.go:171	Config reloader started
2019-11-03T19:46:13.455-0600	INFO	add_cloud_metadata/add_cloud_metadata.go:87	add_cloud_metadata: hosting provider type not detected.
2019-11-03T19:46:20.484-0600	INFO	helper/privileges_windows.go:79	Metricbeat process and system info: {"OSVersion":{"Major":6,"Minor":2,"Build":9200},"Arch":"amd64","NumCPU":8,"User":{"SID":"S-1-5-21-2830785992-2897304774-1924465196-1001","Account":"XXXXX","Domain":"XXXXX","Type":1},"ProcessPrivs":{"SeBackupPrivilege":{"enabled":false},"SeChangeNotifyPrivilege":{"enabled_by_default":true,"enabled":true},"SeCreateGlobalPrivilege":{"enabled_by_default":true,"enabled":true},"SeCreatePagefilePrivilege":{"enabled":false},"SeCreateSymbolicLinkPrivilege":{"enabled":false},"SeDebugPrivilege":{"enabled":false},"SeDelegateSessionUserImpersonatePrivilege":{"enabled":false},"SeImpersonatePrivilege":{"enabled_by_default":true,"enabled":true},"SeIncreaseBasePriorityPrivilege":{"enabled":false},"SeIncreaseQuotaPrivilege":{"enabled":false},"SeIncreaseWorkingSetPrivilege":{"enabled":false},"SeLoadDriverPrivilege":{"enabled":false},"SeManageVolumePrivilege":{"enabled":false},"SeProfileSingleProcessPrivilege":{"enabled":false},"SeRemoteShutdownPrivilege":{"enabled":false},"SeRestorePrivilege":{"enabled":false},"SeSecurityPrivilege":{"enabled":false},"SeShutdownPrivilege":{"enabled":false},"SeSystemEnvironmentPrivilege":{"enabled":false},"SeSystemProfilePrivilege":{"enabled":false},"SeSystemtimePrivilege":{"enabled":false},"SeTakeOwnershipPrivilege":{"enabled":false},"SeTimeZonePrivilege":{"enabled":false},"SeUndockPrivilege":{"enabled":false}}}
2019-11-03T19:46:20.489-0600	INFO	helper/privileges_windows.go:111	SeDebugPrivilege is now enabled. SeDebugPrivilege=(Enabled)
2019-11-03T19:46:20.496-0600	INFO	module/wrapper.go:252	Error fetching data for metricset system.fsstat: filesystem list: GetAccessPaths failed: failed to get list of access paths for volume '\\?\Volume{2d8ef6be-b9a4-11e8-9c5a-0019860014e4}\': GetVolumePathNamesForVolumeNameW failed to get needed buffer length: The system cannot find the file specified.
2019-11-03T19:46:20.496-0600	INFO	module/wrapper.go:252	Error fetching data for metricset system.filesystem: error getting filesystem list: GetAccessPaths failed: failed to get list of access paths for volume '\\?\Volume{2d8ef6be-b9a4-11e8-9c5a-0019860014e4}\': GetVolumePathNamesForVolumeNameW failed to get needed buffer length: The system cannot find the file specified.

The service is running as a user with SeDebugPrivilege enabled (as I read in some other posts). At this point I'm stuck to understanding what is going wrong here. I'm assuming there is a config parameter or option I'm leaving out, but I haven't been able to figure out which one.

Does anyone have any ideas on how to move forward with this?

Thanks in advance.

sdf301 · November 14, 2019, 1:49pm

Answering my own issue. The service had to be running as a user with administrative rights, not as the "system" account under Windows. Changed the login for the service and all is running properly now.

Kaiyan_Sheng · December 2, 2019, 11:06pm

Sorry we didn't get to this post fast enough. Thanks for posting your solution here!!

system · December 30, 2019, 11:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.