Wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)

phil.zac · March 14, 2018, 3:23pm

Hi,

I am using

elasticsearch-5.6.1
kibana-5.6.1
logstash-5.6.1
metricbeat-5.6.1
packetbeat-5.6.1
x-pack-5.6.1

for Windows Server 2012 R2

I am working on Metric beats and find this error.

2018/03/14 15:16:48.733387 helper.go:347: ERR Error getting process details. pid=2472: error getting process arguments for pid=2472: ProcArgs failed for pid=2472: could not get Win32_Process
 WHERE ProcessId = 2472: wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)
2018/03/14 15:16:48.845387 helper.go:347: ERR Error getting process details. pid=7052: error getting process arguments for pid=7052: ProcArgs failed for pid=7052: could not get Win32_Process
 WHERE ProcessId = 7052: wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)
2018/03/14 15:16:58.755113 helper.go:347: ERR Error getting process details. pid=2472: error getting process arguments for pid=2472: ProcArgs failed for pid=2472: could not get Win32_Process
 WHERE ProcessId = 2472: wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)
2018/03/14 15:17:01.683231 helper.go:347: ERR Error getting process details. pid=7052: error getting process arguments for pid=7052: ProcArgs failed for pid=7052: could not get Win32_Process
 WHERE ProcessId = 7052: wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)
2018/03/14 15:17:08.736718 helper.go:347: ERR Error getting process details. pid=2472: error getting process arguments for pid=2472: ProcArgs failed for pid=2472: could not get Win32_Process
 WHERE ProcessId = 2472: wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)
2018/03/14 15:17:08.847724 helper.go:347: ERR Error getting process details. pid=7052: error getting process arguments for pid=7052: ProcArgs failed for pid=7052: could not get Win32_Process
 WHERE ProcessId = 7052: wmi: cannot load field "CommandLine" into a "string": unsupported type (<nil>)

I looked for system.yml as stated in Cannot load field "CommandLine" into a "string": unsupported type

But could not find system.yml. only place where "metricset" is found is in metricbeat.yml

metricbeat.exe -e -d "module"

2018/03/14 15:21:44.587005 wrapper.go:128: DBG  Starting Wrapper[name=system, len(metricSetWrappers)=6]
2018/03/14 15:21:44.587005 wrapper.go:149: DBG  Stopped Wrapper[name=system, len(metricSetWrappers)=6]
2018/03/14 15:21:44.587005 wrapper.go:186: DBG  Starting metricSetWrapper[module=system, name=memory, host=]
2018/03/14 15:21:44.587005 wrapper.go:186: DBG  Starting metricSetWrapper[module=system, name=network, host=]
2018/03/14 15:21:44.587005 wrapper.go:186: DBG  Starting metricSetWrapper[module=system, name=fsstat, host=]
2018/03/14 15:21:44.587005 wrapper.go:186: DBG  Starting metricSetWrapper[module=system, name=cpu, host=]
2018/03/14 15:21:44.587005 wrapper.go:186: DBG  Starting metricSetWrapper[module=system, name=process, host=]
2018/03/14 15:21:44.587005 wrapper.go:186: DBG  Starting metricSetWrapper[module=system, name=filesystem, host=]

Let me know how to solve this issues.

Thanks.

Phil

andrewkroh · March 14, 2018, 5:50pm

Could you check what those PIDs are with another tool like the Task Manager?

I'm wondering if they are protected processes or something special.

phil.zac · March 14, 2018, 6:02pm

Hi

Yes I see them as something "xagt.exe".

Thanks.

Phil

andrewkroh · March 14, 2018, 6:17pm

Interesting. Can you run a Powershell command and share what it returns? Replace the process ID with one that's giving you the error in Metricbeat.

PS C:\Users\me > Get-WmiObject -Query "select * from win32_process where ProcessId=2472" | Format-List

phil.zac · March 14, 2018, 6:29pm

2472

__GENUS                    : 2
__CLASS                    : Win32_Process
__SUPERCLASS               : CIM_Process
__DYNASTY                  : ****************
__RELPATH                  : Win32_Process.Handle="2472"
__PROPERTY_COUNT           : 45
__DERIVATION               : {*********************}
__SERVER                   : *********
__NAMESPACE                : ***********
__PATH                     : ************="2472"
Caption                    : xagt.exe
CommandLine                :
CreationClassName          : Win32_Process
CreationDate               : *********.118869-240
CSCreationClassName        : Win32_ComputerSystem
CSName                     : ***********
Description                : xagt.exe
ExecutablePath             :
ExecutionState             :
Handle                     : 2472
HandleCount                : 352
InstallDate                :
KernelModeTime             : 215000000
MaximumWorkingSetSize      : 1380
MinimumWorkingSetSize      : 200
Name                       : xagt.exe
OSCreationClassName        : Win32_OperatingSystem
OSName                     : Microsoft Windows Server 2012 R2 Standard|************
OtherOperationCount        : 304541
OtherTransferCount         : 2292436
PageFaults                 : 537908
PageFileUsage              : 11100
ParentProcessId            : 576
PeakPageFileUsage          : 48064
PeakVirtualSize            : **********
PeakWorkingSetSize         : 51664
Priority                   : 8
PrivatePageCount           : 11366400
ProcessId                  : 2472
QuotaNonPagedPoolUsage     : 20
QuotaPagedPoolUsage        : 177
QuotaPeakNonPagedPoolUsage : 30
QuotaPeakPagedPoolUsage    : 187
ReadOperationCount         : 579821
ReadTransferCount          : 908215321
SessionId                  : 0
Status                     :
TerminationDate            :
ThreadCount                : 11
UserModeTime               : 223750000
VirtualSize                : *****************
WindowsVersion             : 6.3.9600
WorkingSetSize             : 15237120
WriteOperationCount        : 1169648
WriteTransferCount         : 782955054
PSComputerName             : **********
ProcessName                : xagt.exe
Handles                    : 352
VM                         : **************
WS                         : ************
Path                       :slight_smile:

7052

Similar to above

andrewkroh · March 14, 2018, 6:43pm

Ok, this sounds like an error that Metricbeat should handle. When it gets a null string back from WMI it should either send an empty system.process.cmdline field or omit it.

Can you please open a new issue in https://github.com/elastic/beats/issues/new for this. Drop a link to this discussion in the ticket.

andrewkroh · March 14, 2018, 6:45pm

For now you can continue using Metricbeat and ignore those errors. You will continue to get data on other processes. It should just be for xagt.exe that you don't get metrics any on.

phil.zac · March 14, 2018, 6:59pm

Thanks.

Seems that I need to create NEW Github account to open an issue?

system · April 11, 2018, 7:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.