Monitored Processesedit

This section of the packetbeat.yml config file is optional, but configuring the processes enables Packetbeat to show you not only the servers that the traffic is flowing between, but also the processes. Packetbeat can even show you the traffic between two processes running on the same host, which is particularly useful when you have many services running on the same server. By default, process matching is disabled.

When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the configuration file. For each of these processes, it monitors which file descriptors it has opened. When a new packet is captured, it reads the list of active TCP connections and matches the corresponding one with the list of file descriptors.

On a Linux system, all this information is available via the /proc file system, so Packetbeat doesn’t need a kernel module.

Note

Process monitoring is currently only supported on Linux systems. Packetbeat automatically disables process monitoring when it detects other operating systems.

Example configuration:

packetbeat.procs:
  enabled: true
  monitored:
    - process: mysqld
      cmdline_grep: mysqld

    - process: pgsql
      cmdline_grep: postgres

    - process: nginx
      cmdline_grep: nginx

    - process: app
      cmdline_grep: gunicorn

Process Monitoring Optionsedit

You can specify the following process monitoring options in the monitored section of the packetbeat.yml config file:

processedit

The name of the process as it will appear in the published transactions. The name doesn’t have to match the name of the executable, so feel free to choose something more descriptive (for example, "myapp" instead of "gunicorn").

cmdline_grepedit

The name used to identify the process at run time. When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the values specified for this option. The match is done against the process' command line as read from /proc/<pid>/cmdline.