[Windows] - `system.diskio` datastream missing on Kibana for unprivileged mode.

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.

Other

114 stars 129 forks source link

[Windows] - `system.diskio` datastream missing on Kibana for unprivileged mode. #4982

Open VihasMakwana opened 3 weeks ago

VihasMakwana commented 3 weeks ago

There's one particular error showing up after giving all necessary privileges in unprivileged mode.

Could not return any performance counter values for \\.\C: .Error: Access is denied.
This is triggered here when it tries to open a volume for later DeviceIoControlcall.

It tries to open a volume (not the filesystem) to fetch performance counters. As per this microsoft doc,

Direct access to the disk or to a volume is restricted.

The caller must have administrative privileges. For more information, see Running with Special Privileges.

We can fix this error by giving administrative privileges to our unprivileged user. But isn't it the very thing we're trying to avoid?

Originally posted by @VihasMakwana in https://github.com/elastic/elastic-agent/issues/4705#issuecomment-2180956979

elasticmachine commented 3 weeks ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

pierrehilbert commented 3 weeks ago

Best option is probably to handle this type of error by having:

Debug logs mentioning that this requires Agent to be run as privileged to get access to the volume
The input reporting as degraded (as we are planning to do with those issues https://github.com/elastic/beats/issues/39736 & https://github.com/elastic/beats/issues/39737)
Our doc mentioning clearly this won't work on Windows in unprivileged mode

WDYT?

VihasMakwana commented 3 weeks ago

Best option is probably to handle this type of error by having:

Debug logs mentioning that this requires Agent to be run as privileged to get access to the volume

The input reporting as degraded (as we are planning to do with those issues [Elastic Agent] Allow Metricbeat metricsets to report their status to the Elastic Agent beats#39736 & [Elastic Agent] The system/metrics input should report itself as degraded when it encounters a permissions error beats#39737)

Our doc mentioning clearly this won't work on Windows in unprivileged mode

WDYT?

I agree with you and this would also help with excessive error logging

blakerouse commented 3 weeks ago

Could you try to add the elastic-agent-user to the Performance Monitor Users group and see if fixes the issue?

cmacknz commented 3 weeks ago

The datastream also needs to be marked as requiring root in the integration: https://github.com/elastic/integrations/blob/main/packages/system/data_stream/diskio/manifest.yml

Example here: https://github.com/elastic/integrations/blob/8be6041db024b306f8ff93f628363bfcb4d6279c/packages/system/data_stream/syslog/manifest.yml#L57-L59

I think this is missing from a few data streams in that package.

VihasMakwana commented 3 weeks ago

The datastream also needs to be marked as requiring root in the integration: https://github.com/elastic/integrations/blob/main/packages/system/data_stream/diskio/manifest.yml

Example here: https://github.com/elastic/integrations/blob/8be6041db024b306f8ff93f628363bfcb4d6279c/packages/system/data_stream/syslog/manifest.yml#L57-L59

I think this is missing from a few data streams in that package.

Thanks for finding this out. I'll raise a PR.