search

jhochwald / Universal-Winlogbeat-configuration

Universal Winlogbeat configuration
https://hochwald.net/ship-windows-event-logs-with-winlogbeat/
BSD 3-Clause "New" or "Revised" License
30 stars 4 forks source link

config test error error initializing processors #4

Open CodeNameTheOnlyOne opened 2 years ago

CodeNameTheOnlyOne commented 2 years ago

downloaded new config and am getting Exiting: error initializing processors: each processor must have exactly one action, but found 5 actions (script,when,lang,id,file) winlogbeat v 7.16.3

i was able to get it to pass a config test by removing the following lines


  # As requested by our external CISO service
  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
        when.equals.winlog.channel: Security
        lang: javascript
        id: security
        file: ${path.home}/module/security/config/winlogbeat-security.js
      - script:
        when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
        lang: javascript
        id: sysmon
        file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
        when.equals.winlog.channel: Windows PowerShell
        lang: javascript
        id: powershell
        file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
        when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
        lang: javascript
        id: powershell
        file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

# General processors
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

# Add JS Infos
processors:
  - script:
    when.equals.winlog.channel: Security
    lang: javascript
    id: security
    file: ${path.home}/module/security/config/winlogbeat-security.js

processors:
  - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

processors:
  - script:
    when.equals.winlog.channel: Windows PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Admin
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-Shell-Core
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: PowerShellCore/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: PowerShellCore
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

basically every mention of lang:

otherwise i am happy with the file. thanks.

jhochwald commented 2 years ago

This config is not compatible with the latest version (7.x and 8.x) The following part needs to be changed: Exiting: error initializing processors: each processor must have exactly one action, but found 5 actions (id,file,script,when,lang) Easy workaround: Remove all the processors.

Then these needs to to adopted to the new syntax and you can (re)add them