Skip to content

[system]: On Windows extra agentbeat is started #16236

New issue
New issue
Open
#16337
Open
[system]: On Windows extra agentbeat is started#16236
#16337
Assignees
leehinman
Labels
Integration:systemSystemTeam:Elastic-Agent-Data-PlaneAgent Data Plane team [elastic/elastic-agent-data-plane]needs:triage
@leehinman

Description

@leehinman
leehinman
opened on Dec 3, 2025

Integration Name

System [system]

Dataset Name

auth

Integration Version

2.7.2

Agent Version

9.3.0

Agent Output Type

elasticsearch

Elasticsearch Version

9.3.0-SNAPSHOT

OS Version and Architecture

Windows 11

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Install system integration, all default configuration

What did you see?

one agentbeat is started and it is configured to read from '/var/log'. This is just taking up extra resources on a Windows host since all the "log files" will be read from the windows event log

What did you expect to see?

agentbeat reading windows events and agentbeat reading metrics.

Anything else?

The condition here:

integrations/packages/system/manifest.yml

Lines 51 to 64 in bb632b7

- type: logfile
title: Collect logs from System instances
description: Collecting System auth and syslog logs from files
vars:
- name: condition
title: Condition
description: |
Condition to filter when to apply this input. Refer to
[Host provider](https://www.elastic.co/guide/en/fleet/current/host-provider.html)
to find the available keys and to
[Conditions](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html#conditions)
on how to use the available keys in conditions. It defaults to
'${host.os_version} != "12 (bookworm)" and ${host.os_version} != "13 (trixie)" and (${host.os_platform} != "amzn" or ${host.os_version} != "2023") and (${host.os_platform} != "sles" and ${host.os_version} != "15 SP1"
and ${host.os_version} != "15 SP2" and ${host.os_version} != "15 SP3" and ${host.os_version} != "15 SP4" and ${host.os_version} != "15 SP5" and ${host.os_version} != "15 SP6" and ${host.os_version} != "15 SP7")'

allows this to run on Windows hosts, and it shouldn't.

Metadata

Metadata

Assignees

Labels

Integration:systemSystemTeam:Elastic-Agent-Data-PlaneAgent Data Plane team [elastic/elastic-agent-data-plane]needs:triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions