Specify which processes to monitor

edit

Specify which processes to monitor

edit

This section of the packetbeat.yml config file is optional, but configuring the processes enables Packetbeat to show you not only the servers that the traffic is flowing between, but also the processes. Packetbeat can even show you the traffic between two processes running on the same host, which is particularly useful when you have many services running on the same server. By default, process matching is disabled.

When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the configuration file. For each of these processes, it monitors which file descriptors it has opened. When a new packet is captured, it reads the list of active TCP connections and matches the corresponding one with the list of file descriptors.

On a Linux system, all this information is available via the /proc file system, so Packetbeat doesn’t need a kernel module.

Process monitoring is currently only supported on Linux systems. Packetbeat automatically disables process monitoring when it detects other operating systems.

Example configuration:

packetbeat.procs:
  enabled: true
  monitored:
    - process: mysqld
      cmdline_grep: mysqld

    - process: pgsql
      cmdline_grep: postgres

    - process: nginx
      cmdline_grep: nginx

    - process: app
      cmdline_grep: gunicorn

Configuration options

edit

You can specify the following process monitoring options in the monitored section of the packetbeat.yml config file:

process

edit

The name of the process as it will appear in the published transactions. The name doesn’t have to match the name of the executable, so feel free to choose something more descriptive (for example, "myapp" instead of "gunicorn").

cmdline_grep

edit

The name used to identify the process at run time. When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the values specified for this option. The match is done against the process' command line as read from /proc/<pid>/cmdline.

shutdown_timeout

edit

How long Packetbeat waits on shutdown. By default, this option is disabled. Packetbeat will wait for shutdown_timeout and then close. It will not track if all events were sent previously.

Example configuration:

packetbeat.shutdown_timeout: 5s