Auditbeat error with add_process_metadata missing

grants · October 5, 2018, 2:38pm

Trying to do a lookup of [process][ppid] and push the data into [process][parent] but simple testing can't even get auditbeat to start due to an error that the processor is missing.

## config:
processors:
- add_process_metadata:
    match_pids: [system.process.ppid]
    target: system.process.parent

## Error:
2018-10-05T09:28:15.589-0500    ERROR   instance/beat.go:743    Exiting: error initializing publisher: error initializing processors: the processor add_process_metadata doesn't exist

## version:
auditbeat version 6.4.1 (amd64), libbeat 6.4.1 [37b5f2d2a20f2734b2373a454b4b4cbb2627e841 built 2018-09-13 21:23:13 +0000 UTC]


## Tested with newest 6.4.2
2018-10-05T09:45:15.541-0500    INFO    instance/beat.go:273    Setup Beat: auditbeat; Version: 6.4.2
2018-10-05T09:45:15.541-0500    INFO    instance/beat.go:327    auditbeat stopped.
2018-10-05T09:45:15.542-0500    ERROR   instance/beat.go:743    Exiting: error initializing publisher: error initializing processors: the processor add_process_metadata doesn't exist

Has anyone been able to get this processor to work?

adrisr · October 5, 2018, 2:58pm

Hi,

The add_process_metadata processor is not available in 6.4, it will appear in 6.5.0.

You can try building Auditbeat yourself from our 6.x branch once this cherry-pick is merged https://github.com/elastic/beats/pull/8570

Or build from master (7.0.0-snapshot).

grants · October 5, 2018, 4:06pm

Thanks,

I was reading the wrong documentation and now see that it's not listed as supported processor on this page: https://www.elastic.co/guide/en/beats/auditbeat/current/defining-processors.html#processors

system · October 26, 2018, 4:06pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.