I am running a Server 2012 R2, a Virtual Machine hosted by VMware, with Topbeat 1.2.3.
It sends data to Logstash -> Elasticsearch. I view the data in Kibana. The metrics are visualized from the most parts. But some data is not send to Logstash, which i'd like to see.
When I look at the log file of TopBeat, with level: debug, i see this error:
2016-05-31T11:00:13+02:00 DBG Skip process pid=0: error getting process state for pid=0: OpenProcess fails with The parameter is incorrect.
2016-05-31T11:00:13+02:00 DBG Skip process pid=4: error getting process state for pid=4: OpenProcess fails with Access is denied.
2016-05-31T11:00:13+02:00 DBG Windows is interactive: false
Image of the debug log: http://imgur.com/LpV5aVE
No info in Kibana: http://imgur.com/Rdty6HM
But some data is: http://imgur.com/GFHyEyv
Is there something I can do to view all information?
What user are you running Topbeat as? In order for Topbeat to be able to read information about all processes it needs to be run as a super user. Try running it as Administrator.
I did install and executed as administrator. It made no change.
The same error remains.
If you find those processes in the task manager, who are they owned by? What are they? I haven't seen this before (when topbeat is run as admin).
The processes are owned by SYSTEM. Topbeat is also executed as SYSTEM.
When I open ProcessMonitor, and filter to view only the TopBeat process, I see some information regarding 'name not found' or 'File locked with only readers'.
Is there anything else I can try?
I'm not sure what's causing this. Does the same issue occur if you run Topbeat from a shell (not as a service) as the administrator?
PS > .\topbeat.exe -c path\to\config.yml -e -d "*"
If you want I could give you access to the server, so you can debug on the server yourself.
Or do you want me to provide more information?
Could you please open a issue on Github in the elastic/beats repo for this. It sounds like multiple people are experiencing the problem.
I want to do a bit more research into the Windows syscalls we are making (like OpenProcess) and see if there is any more debugging information I can add to the software. I didn't write this section of code so I need to familiarize myself with it. I will also check in with the original author to see if she has any insight into the issue.
Allright, thanks for the reply.
The github issue can be found here: https://github.com/elastic/beats/issues/1897