Monitoring specific processes via Elastic Agent?

jerrac · December 27, 2023, 10:32pm

Does anyone have a good method for monitoring that specific processes are running, even if said processes are not in the top N cpu/ram usage group?

The System integration lets you monitor the Top N processes. You can limit what processes are selected via a regex in the Processes inputs. But so far my attempts at manipulating that config into doing what I want haven't worked very well.

Specifically I added a second System integration and limited it to just .*(ssh|postfix|filebeat|metricbeat|auditbeat|dockerd|auditd).* processes. (I disabled all other collections.) Then I had to increase the number of top N processes to 1000 in order to make sure all the processes were grabbed.

In my normal system integration I tried to tell it to ignore any of the processes monitored by the other integration, but none of the regexes I tried seemed to do the trick. Specifically they seem to block all processes, not just the ones listed.

All in one:

^(?!.*?(ssh|postfix|filebeat|metricbeat|auditbeat|dockerd|auditd)).*$

In individual inputs:

^(?!.*?(ssh)).*$
^(?!.*?(postfix)).*$
^(?!.*?(filebeat)).*$
^(?!.*?(metricbeat)).*$
^(?!.*?(auditbeat)).*$
^(?!.*?(dockerd)).*$
^(?!.*?(auditd)).*$

Am I just getting my regex syntax wrong?

Anyone have any other ways of monitoring specific processes they could share?

Thanks!

Oh, this is all Elastic Agent 8.11.1 on Ubuntu 22.04 vms.

jerrac · January 12, 2024, 5:47pm

Anyone?

stephenb · January 12, 2024, 6:17pm

Hi @jerrac

I have not looked closely... but if you want to monitor specific processes, you should not have Top N set at all... Either Specific Process OR Top N, not Both...

I have not done this with an agent but I have with Metricbeat. Should be the same logic...

Can you share the whole setting?

Not probably what you want to hear.. .but I might try with metricbeat first which is easier to debug then set the same for agent.

Perhaps take a quick look at

Update: With Agent

I also get your are trying to set Top N to a big number but that is not how I would do it.

First I would empty Top N (not set to 0) - I just tried this in Agent that seem to be the correct way.

Then, collect all processes and see if you see the processes you expect.

Then, narrow with regex

jerrac · January 23, 2024, 11:31pm

@stephenb So that does work. I'm always getting the processes I want. Thanks.

I also set up an ingest pipeline to drop duplicated events from the Top N configuration.

For anyone else who comes across this, you might see more results than you expect if your system has more than one instance of something running.

In my case i was seeing more records for each of the beats I have running than I expected. After looking into it, I figured out that there is an instance of each beat per configured Agent integration that uses the beat. So, instead of 6 per minute, I was seeing 24 per minute for metricbeat. ps shows 4 instances of metricbeat on my vm. So that works out.

system · February 20, 2024, 11:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.