Beats shutdown issue #6875
Description
For confirmed bugs, please report:
- Version: At least 8.17.1 (likely earlier)-> 9.0.0-beta
- Operating System: Windows Server (tested on 2019)
- Steps to Reproduce:
* Setup the Microsoft DNS server
* Install Elastic Agent
* Add the Microsoft DNS Server Integration with defaults
* Stop the Elastic Agent service
* Notice theElastic-DNSServer-AnalyticalETW trace remains
PS C:\> logman query -ets Data Collector Set Type Status ------------------------------------------------------------------------------- AppModel Trace Running Elastic-DNSServer-Analytical Trace Running DiagLog Trace Running EventLog-Application Trace Running EventLog-System Trace Running NtfsLog Trace Running ... This is just a specific testable scenario that speaks to a potentially broader issue. The integration within the filebeat portion of the agentbeat.exe process has code to stop that trace upon the integration being stopped, but that code never runs when Agent stops. Additionally, the code does not run when Agent is left running, but the integration is removed.
Through debugging, it's been observed during the Elastic Agent service stop that the elastic-agent.exe service process calls NtTerminateProcess() upon the agentbeat.exe process hosting the filebeat integration. The agentbeat.exe process does not itself run its cleanup code and cleanly exit.
It would seem that IPC between the elastic-agent.exe process and the subordinate agentbeat.exe process is not occurring in a way to trigger clean shutdowns, at least in this instance.