Packetbeat flooding logs with FindSocketsOfPid errors when on system with short living processes


Due to the error logging here, on systems running many short living processes, we realized that packetbeat is flooding logs with entries like the following:

{"log.level":"error","@timestamp":"2022-06-09T15:25:57.629+0200","log.origin":{"":"procs/procs_linux.go","file.line":115},"message":"FindSocketsOfPid: open /proc/15404/fd: no such file or directory","":"packetbeat","ecs.version":"1.6.0"}

This happens when packetbeat.procs.enabled: true. We cannot find any way to disable such log messages (while keeping the level to error to still get useful logs) and believe that this should not be logged as an error, given that the execution is continuing.

Process data is added on best effort, given that packetbeat process info is originating from procfs. In case of short living processes, no process data is added considering that by the time this enrichment takes place, the connected procfs directory may not exist.

This type of log entry should be on level warning or info, so as to support best-effort enrichment without flooding the logs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.