Hello,
I am using this processor to get information about process parent:
but sometimes is parent process missing in auditbeat messages
I found this issues for processes started from crontab, but looks like there also other processes without parent.
Do you please know why is parent process missing or how to investigate this issue ?
Thanks
Regards
Most likely this is due to the process having exited by the time the processor is called. Many processes are very short-lived. If you turn on debug logging (./auditbeat -e -d "*") you should be seeing messages starting with failed to get process metadata for PID=.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.