Universal-Winlogbeat-configuration icon indicating copy to clipboard operation
Universal-Winlogbeat-configuration copied to clipboard

Published 20 hours ago verified publisher icon jhochwald

config test error error initializing processors

Open CodeNameTheOnlyOne opened this issue 3 years ago • 1 comments

downloaded new config and am getting Exiting: error initializing processors: each processor must have exactly one action, but found 5 actions (script,when,lang,id,file) winlogbeat v 7.16.3

i was able to get it to pass a config test by removing the following lines


  # As requested by our external CISO service
  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
        when.equals.winlog.channel: Security
        lang: javascript
        id: security
        file: ${path.home}/module/security/config/winlogbeat-security.js
      - script:
        when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
        lang: javascript
        id: sysmon
        file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
        when.equals.winlog.channel: Windows PowerShell
        lang: javascript
        id: powershell
        file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
        when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
        lang: javascript
        id: powershell
        file: ${path.home}/module/powershell/config/winlogbeat-powershell.js


# General processors
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

# Add JS Infos
processors:
  - script:
    when.equals.winlog.channel: Security
    lang: javascript
    id: security
    file: ${path.home}/module/security/config/winlogbeat-security.js

processors:
  - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

processors:
  - script:
    when.equals.winlog.channel: Windows PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Admin
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-Shell-Core
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: PowerShellCore/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: PowerShellCore
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

basically every mention of lang:

otherwise i am happy with the file. thanks.

CodeNameTheOnlyOne avatar Jan 27 '22 18:01 CodeNameTheOnlyOne

This config is not compatible with the latest version (7.x and 8.x) The following part needs to be changed: Exiting: error initializing processors: each processor must have exactly one action, but found 5 actions (id,file,script,when,lang) Easy workaround: Remove all the processors.

Then these needs to to adopted to the new syntax and you can (re)add them

jhochwald avatar Mar 18 '22 11:03 jhochwald