Continuation of #8561 - add windows.service.start_name and windows.se…

…rvice.path_name (#11877) * implement issue #8364 in metricbeat windows module, pathname and usename of service * Fix changelog entries * Update changelog * resolved rebase merge issue
elastic · Apr 26, 2019 · d421be8 · d421be8
1 parent e03993f
commit d421be8
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 9 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -166,6 +166,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Allow module configurations to have variants {pull}9118[9118]
 - Add `timeseries.instance` field calculation. {pull}10293[10293]
 - Added new disk states and raid level to the system/raid metricset. {pull}11613[11613]
+- Added `path_name` and `start_name` to service metricset on windows module {issue}8364[8364] {pull}11877[11877]
 - Add check on object name in the counter path if the instance name is missing {issue}6528[6528] {pull}11878[11878]
 
 *Packetbeat*

diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc
@@ -26726,6 +26726,30 @@ type: keyword
 The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`.
 
 
+--
+
+*`windows.service.start_name`*::
++
+--
+type: keyword
+
+example: NT AUTHORITY\LocalService
+
+Account name under which a service runs.
+
+
+--
+
+*`windows.service.path_name`*::
++
+--
+type: keyword
+
+example: C:\WINDOWS\system32\svchost.exe -k LocalService -p
+
+Fully qualified path to the file that implements the service, including arguments.
+
+
 --
 
 *`windows.service.state`*::

diff --git a/metricbeat/module/windows/fields.go b/metricbeat/module/windows/fields.go
diff --git a/metricbeat/module/windows/service/_meta/fields.yml b/metricbeat/module/windows/service/_meta/fields.yml
@@ -29,6 +29,19 @@
         The startup type of the service. The possible values are `Automatic`,
         `Boot`, `Disabled`, `Manual`, and `System`.
 
+    - name: start_name
+      type: keyword
+      example: NT AUTHORITY\LocalService
+      description: >
+        Account name under which a service runs.
+
+    - name: path_name
+      type: keyword
+      example: C:\WINDOWS\system32\svchost.exe -k LocalService -p
+      description: >
+        Fully qualified path to the file that implements the service,
+        including arguments.
+
     - name: state
       type: keyword
       description: >

diff --git a/metricbeat/module/windows/service/service_integration_windows_test.go b/metricbeat/module/windows/service/service_integration_windows_test.go
@@ -35,6 +35,8 @@ type Win32Service struct {
 	ProcessId   uint32
 	DisplayName string
 	State       string
+	StartName   string
+	PathName    string
 }
 
 func TestData(t *testing.T) {
@@ -58,7 +60,8 @@ func TestReadService(t *testing.T) {
 
 	var wmiSrc []Win32Service
 
-	// Get services from WMI.
+	// Get services from WMI, set NonePtrZero so nil fields are turned to empty strings
+	wmi.DefaultClient.NonePtrZero = true
 	err = wmi.Query("SELECT * FROM Win32_Service ", &wmiSrc)
 	if err != nil {
 		t.Fatal(err)
@@ -87,6 +90,15 @@ func TestReadService(t *testing.T) {
 					assert.Equal(t, w.DisplayName, s["display_name"],
 						"Display name of service %v does not match", w.Name)
 				}
+				// some services come back without PathName or StartName from WMI, just skip them
+				if s["path_name"] != nil && w.PathName != "" {
+					assert.Equal(t, w.PathName, s["path_name"],
+						"Path name of service %v does not match", w.Name)
+				}
+				if s["start_name"] != nil && w.StartName != "" {
+					assert.Equal(t, w.StartName, s["start_name"],
+						"Start name of service %v does not match", w.Name)
+				}
 				// Some services have changed state before the second retrieval.
 				if w.State != s["state"] {
 					changed := s

diff --git a/metricbeat/module/windows/service/service_windows.go b/metricbeat/module/windows/service/service_windows.go
@@ -134,13 +134,15 @@ var errorNames = map[uint32]string{
 }
 
 type ServiceStatus struct {
-	DisplayName  string
-	ServiceName  string
-	CurrentState string
-	StartType    ServiceStartType
-	PID          uint32 // ID of the associated process.
-	Uptime       time.Duration
-	ExitCode     uint32 // Exit code for stopped services.
+	DisplayName      string
+	ServiceName      string
+	CurrentState     string
+	StartType        ServiceStartType
+	PID              uint32 // ID of the associated process.
+	Uptime           time.Duration
+	ExitCode         uint32 // Exit code for stopped services.
+	ServiceStartName string
+	BinaryPathName   string
 }
 
 type ServiceReader struct {
@@ -373,6 +375,21 @@ func getAdditionalServiceInfo(serviceHandle ServiceHandle, service *ServiceStatu
 		}
 		serviceQueryConfig := (*QueryServiceConfig)(unsafe.Pointer(&buffer[0]))
 		service.StartType = ServiceStartType(serviceQueryConfig.DwStartType)
+		serviceStartNameOffset := uintptr(unsafe.Pointer(serviceQueryConfig.LpServiceStartName)) - (uintptr)(unsafe.Pointer(&buffer[0]))
+		binaryPathNameOffset := uintptr(unsafe.Pointer(serviceQueryConfig.LpBinaryPathName)) - (uintptr)(unsafe.Pointer(&buffer[0]))
+
+		strBuf := new(bytes.Buffer)
+		if err := sys.UTF16ToUTF8Bytes(buffer[serviceStartNameOffset:], strBuf); err != nil {
+			return err
+		}
+		service.ServiceStartName = strBuf.String()
+
+		strBuf.Reset()
+		if err := sys.UTF16ToUTF8Bytes(buffer[binaryPathNameOffset:], strBuf); err != nil {
+			return err
+		}
+		service.BinaryPathName = strBuf.String()
+
 		break
 	}
 
@@ -476,6 +493,8 @@ func (reader *ServiceReader) Read() ([]common.MapStr, error) {
 			"name":         service.ServiceName,
 			"state":        service.CurrentState,
 			"start_type":   service.StartType.String(),
+			"start_name":   service.ServiceStartName,
+			"path_name":    service.BinaryPathName,
 		}
 
 		if service.CurrentState == "Stopped" {