Skip to content

Commit

Permalink
Document the new process monitor features
Browse files Browse the repository at this point in the history 
- Windows support
- UDP support
- cmdline fields
  • Loading branch information
@adriansr
adriansr committed Jul 12, 2018
1 parent 7bf0943 commit 5a48b17
Showing 1 changed file with 13 additions and 8 deletions.
21 changes: 13 additions & 8 deletions packetbeat/docs/packetbeat-options.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1283,15 +1283,15 @@ process matching is disabled.
When Packetbeat starts, and then periodically afterwards, it scans the process table for
processes that match the configuration file. For each of these processes, it
monitors which file descriptors it has opened. When a new packet is captured,
it reads the list of active TCP connections and matches the corresponding one
it reads the list of active TCP and UDP connections and matches the corresponding one
with the list of file descriptors.

On a Linux system, all this information is available via the `/proc`
file system, so Packetbeat doesn't need a kernel module.

All this information is available via system interfaces: The `/proc` file system
in Linux and the IP Helper API (`iphlpapi.dll`) on Windows, so {beatname_uc}
doesn't need a kernel module.

NOTE: Process monitoring is currently only supported on
Linux systems. Packetbeat automatically disables
Linux and Windows systems. Packetbeat automatically disables
process monitoring when it detects other operating systems.

Example configuration:
Expand All @@ -1314,6 +1314,14 @@ packetbeat.procs:
cmdline_grep: gunicorn
------------------------------------------------------------------------------

When the process monitor is enabled, it will enrich all the events whose source
or destination is a local process. The `cmdline` and/or `client_cmdline` fields
will be added to an event, when the server side or client side of the connection
belong to a local process, respectively. Additionally, you can specify a pattern
using the `cmdline_grep` option, to also name those processes. This will cause
the `proc` and `client_proc` fields to be added to an event, with the name of
the matched process.

[float]
=== Configuration options

Expand Down Expand Up @@ -1350,6 +1358,3 @@ Example configuration:
-------------------------------------------------------------------------------------
packetbeat.shutdown_timeout: 5s
-------------------------------------------------------------------------------------



0 comments on commit 5a48b17

Please sign in to comment.