Parent process sometimes missing

vaclav · September 16, 2019, 11:55am

Hello,
I am using this processor to get information about process parent:

add_process_metadata:
match_pids: [ process.ppid ]
target: process.parent

but sometimes is parent process missing in auditbeat messages
I found this issues for processes started from crontab, but looks like there also other processes without parent.
Do you please know why is parent process missing or how to investigate this issue ?

Thanks

Regards

cwurm · September 17, 2019, 11:08am

Most likely this is due to the process having exited by the time the processor is called. Many processes are very short-lived. If you turn on debug logging (./auditbeat -e -d "*") you should be seeing messages starting with failed to get process metadata for PID=.

Topic		Replies	Views
Auditbeat error with add_process_metadata missing Beats auditbeat	3	783	October 26, 2018
Auditbeat System module: Add parent process entity_id field to process and socket events Beats auditbeat	8	1219	April 29, 2019
Metricbeat does not see all processes Beats metricbeat	1	177	November 29, 2023
Auditbeat [7.11.2 and 7.12.0] memory issue Beats auditbeat	8	666	April 29, 2021
Auditbeat socket dataset doesn't correlate process info Beats auditbeat	5	463	February 10, 2021

Parent process sometimes missing

Related topics