[Windows] - system.diskio datastream missing on Kibana for unprivileged mode.

[VihasMakwana]

There's one particular error showing up after giving all necessary privileges in unprivileged mode.

• Could not return any performance counter values for \\.\C: .Error: Access is denied.
• This is triggered here when it tries to open a volume for later DeviceIoControlcall.

It tries to open a volume (not the filesystem) to fetch performance counters. As per this microsoft doc,

Direct access to the disk or to a volume is restricted.

• The caller must have administrative privileges. For more information, see Running with Special Privileges.

We can fix this error by giving administrative privileges to our unprivileged user. But isn't it the very thing we're trying to avoid?

Originally posted by @VihasMakwana in #4705 (comment)

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[pierrehilbert]

Best option is probably to handle this type of error by having:

1. Debug logs mentioning that this requires Agent to be run as privileged to get access to the volume
2. The input reporting as degraded (as we are planning to do with those issues [Elastic Agent] Allow Metricbeat metricsets to report their status to the Elastic Agent beats#39736 & [Elastic Agent] The system/metrics input should report itself as degraded when it encounters a permissions error beats#39737)
3. Our doc mentioning clearly this won't work on Windows in unprivileged mode

WDYT?

[VihasMakwana]

Best option is probably to handle this type of error by having:

1. Debug logs mentioning that this requires Agent to be run as privileged to get access to the volume
2. The input reporting as degraded (as we are planning to do with those issues [Elastic Agent] Allow Metricbeat metricsets to report their status to the Elastic Agent beats#39736 & [Elastic Agent] The system/metrics input should report itself as degraded when it encounters a permissions error beats#39737)
3. Our doc mentioning clearly this won't work on Windows in unprivileged mode

WDYT?

I agree with you and this would also help with excessive error logging

[blakerouse]

Could you try to add the elastic-agent-user to the Performance Monitor Users group and see if fixes the issue?

[cmacknz]

The datastream also needs to be marked as requiring root in the integration: https://github.com/elastic/integrations/blob/main/packages/system/data_stream/diskio/manifest.yml

Example here: https://github.com/elastic/integrations/blob/8be6041db024b306f8ff93f628363bfcb4d6279c/packages/system/data_stream/syslog/manifest.yml#L57-L59

I think this is missing from a few data streams in that package.

[VihasMakwana]

The datastream also needs to be marked as requiring root in the integration: https://github.com/elastic/integrations/blob/main/packages/system/data_stream/diskio/manifest.yml

Example here: https://github.com/elastic/integrations/blob/8be6041db024b306f8ff93f628363bfcb4d6279c/packages/system/data_stream/syslog/manifest.yml#L57-L59

I think this is missing from a few data streams in that package.

Thanks for finding this out.
I'll raise a PR.