This section of the
packetbeat.yml config file is optional, but configuring
the processes enables Packetbeat to show you not only the servers that the
traffic is flowing between, but also the processes. Packetbeat can even show you
the traffic between two processes running on the same host, which is particularly
useful when you have many services running on the same server. By default,
process matching is disabled.
When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the configuration file. For each of these processes, it monitors which file descriptors it has opened. When a new packet is captured, it reads the list of active TCP connections and matches the corresponding one with the list of file descriptors.
On a Linux system, all this information is available via the
file system, so Packetbeat doesn’t need a kernel module.
Process monitoring is currently only supported on Linux systems. Packetbeat automatically disables process monitoring when it detects other operating systems.
packetbeat.procs: enabled: true monitored: - process: mysqld cmdline_grep: mysqld - process: pgsql cmdline_grep: postgres - process: nginx cmdline_grep: nginx - process: app cmdline_grep: gunicorn
You can specify the following process monitoring options in the
packetbeat.yml config file:
The name of the process as it will appear in the published transactions. The name doesn’t have to match the name of the executable, so feel free to choose something more descriptive (for example, "myapp" instead of "gunicorn").
The name used to identify the process at run time. When Packetbeat starts, and then
periodically afterwards, it scans the process table for
processes that match the values specified for this option. The match is done against the
process' command line as read from