Server 2012 R2 some metrics not send


(Kevin Csuka) #1

Hi,

I am running a Server 2012 R2, a Virtual Machine hosted by VMware, with Topbeat 1.2.3.
It sends data to Logstash -> Elasticsearch. I view the data in Kibana. The metrics are visualized from the most parts. But some data is not send to Logstash, which i'd like to see.

When I look at the log file of TopBeat, with level: debug, i see this error:

2016-05-31T11:00:13+02:00 DBG Skip process pid=0: error getting process state for pid=0: OpenProcess fails with The parameter is incorrect.
2016-05-31T11:00:13+02:00 DBG Skip process pid=4: error getting process state for pid=4: OpenProcess fails with Access is denied.
2016-05-31T11:00:13+02:00 DBG Windows is interactive: false

Image of the debug log: http://imgur.com/LpV5aVE

No info in Kibana: http://imgur.com/Rdty6HM
But some data is: http://imgur.com/GFHyEyv

Is there something I can do to view all information?
Thanks.


(Andrew Kroh) #2

What user are you running Topbeat as? In order for Topbeat to be able to read information about all processes it needs to be run as a super user. Try running it as Administrator.


(Kevin Csuka) #3

I did install and executed as administrator. It made no change.
The same error remains.


(Andrew Kroh) #4

If you find those processes in the task manager, who are they owned by? What are they? I haven't seen this before (when topbeat is run as admin).


(Kevin Csuka) #5

The processes are owned by SYSTEM. Topbeat is also executed as SYSTEM.
When I open ProcessMonitor, and filter to view only the TopBeat process, I see some information regarding 'name not found' or 'File locked with only readers'.

Images:

Is there anything else I can try?


(Kevin Csuka) #6

Like nothing?


(Andrew Kroh) #7

I'm not sure what's causing this. Does the same issue occur if you run Topbeat from a shell (not as a service) as the administrator?

For example:

PS > .\topbeat.exe -c path\to\config.yml -e -d "*"

(Kevin Csuka) #8

Result:
http://imgur.com/SUOvJT8


(Kevin Csuka) #9

If you want I could give you access to the server, so you can debug on the server yourself.
Or do you want me to provide more information?


(Andrew Kroh) #10

Could you please open a issue on Github in the elastic/beats repo for this. It sounds like multiple people are experiencing the problem.

I want to do a bit more research into the Windows syscalls we are making (like OpenProcess) and see if there is any more debugging information I can add to the software. I didn't write this section of code so I need to familiarize myself with it. I will also check in with the original author to see if she has any insight into the issue.


(Kevin Csuka) #11

Allright, thanks for the reply.

The github issue can be found here: https://github.com/elastic/beats/issues/1897


(system) #12