search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.14k stars 4.91k forks source link

[metricbeat/system][windows] - Metricbeat reports DEGRADED while running in privileged mode #40484

Open VihasMakwana opened 1 month ago

VihasMakwana commented 1 month ago
elasticmachine commented 1 month ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

cmacknz commented 1 month ago

What data stream was this observed for? Are their logs you can attach to the issue?

VihasMakwana commented 3 weeks ago

@cmacknz the errors reported are similar to https://github.com/elastic/beats/issues/40542#issue-2468808059

    - id: system/metrics-default
      state:
        message: 'Healthy: communicating with pid ''1556'''
        pid: 0
        state: 2
        units:
            input-system/metrics-default-system/metrics-system-5f5e65eb-2fd6-41e1-8c29-f24d57e66509:
                state: DEGRADED
                message: |-
                    Error fetching data for metricset system.process_summary: Not enough privileges to fetch information: Not enough privileges to fetch information: GetInfoForPid: could not get all information for PID 0: error fetching name: OpenProcess failed for pid=0: The parameter is incorrect.
                    error fetching status: OpenProcess failed for pid=0: The parameter is incorrect.
                    GetInfoForPid: could not get all information for PID 4: error fetching name: GetProcessImageFileName failed for pid=4: GetProcessImageFileName failed: invalid argument
                payload:
                    streams:
                        system/metrics-system.process.summary-5f5e65eb-2fd6-41e1-8c29-f24d57e66509:
                            error: |-
                                Error fetching data for metricset system.process_summary: Not enough privileges to fetch information: Not enough privileges to fetch information: GetInfoForPid: could not get all information for PID 0: error fetching name: OpenProcess failed for pid=0: The parameter is incorrect.
                                error fetching status: OpenProcess failed for pid=0: The parameter is incorrect.
                                GetInfoForPid: could not get all information for PID 4: error fetching name: GetProcessImageFileName failed for pid=4: GetProcessImageFileName failed: invalid argument
                            status: DEGRADED

There's a coincidence. All the these PIDs refer to the SYSTEM processes. On windows, we try to open the process with PROCESS_VM_READ and PROCESS_QUERY_LIMITED_INFORMATION access rights. More info here. An administrator can open a system process with PROCESS_QUERY_LIMITED_INFORMATION, but not with PROCESS_VM_READ. This results in an error.

This seems to be related with https://github.com/elastic/beats/issues/17314