Server 2003 - PID's not recognized

Kevin_Csuka · May 19, 2016, 2:50pm

Hi,

I'm not quite sure if Windows Server 2003 is supported. But XP is, so I thought server 2003 also is.
The issue:

The log in C:/programdata/logs/topbeat is showing these lines:

And so on. Not only #4, but every PID #numbers is unknown.

I installed topbeat with the following topbeat.yml:

input:
  period: 10
  procs: [".*"]
  stats:
    system: true
    process: true
    filesystem: true
    cpu_per_core: true
output:
  logstash:
    hosts: ["192.168.43.53:5044"]
    tls:
      certificate_authorities: ["C:/cert/logstash-forwarder.crt"]
shipper:
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

Am I missing something? It's a fresh Server 2003 install, with no firewall or other third party tools enabled.

andrewkroh · May 19, 2016, 5:13pm

Topbeat uses a WMI query to get the command line, but the query it uses is supported by Windows 2008 and newer according to the Windows documentation (see "Minimum supported server").

It should be possible to provide process details without the command line info, but that probably will require some changes to the error handling. Am I correct that no process events are being sent to Logstash due to this error?

Officially Topbeat is supported on Windows 2012R2 (for paid support subscriptions). Support Matrix | Elastic And this is what we test on.

Kevin_Csuka · May 23, 2016, 12:24pm

Hi andrewkroh,

Thanks for replying, that clears things up.

Yes, nothing is sent to Logstash.

As for my goal:
I'm trying to visualize system metrics from Servers 2003 and Server 2008 in Kibana, via Logstash and Elasticsearch.

What do you suggest what the best solution is to achieve my goal?
As for a note, I prefer to use the latest stable versions, instead of the Alpha-2.

In my current setup, data is visualized in Kibana from a Server 2012, with the metrics sent via TopBeat .
I'd like to add Server 2003 and 2008 as well.

Kind regards,

Kevin

andrewkroh · May 23, 2016, 1:42pm

I think the only way you will be able to retrieve process metrics is to enhance Topbeat to not attempt to retrieve the process command line on Windows 2003 and XP. This will prevent the error that you are seeing and enable you to get the other process metrics. Unfortunately this is going to require code changes and a new release (so it's not going to be an immediate fix). Can you open a bug report in the elastic/beats repo for this issue on Windows 2003.

I expect that you can get CPU/memory/filesystem metrics from Win 2003 now, as is. And everything should work on WIndows 2008.