Setting up auditbeat on a new host encountered an error with a config I know works. Went to a host running 9.2.2 with the same config running and everything was working fine, ran apt upgrade to version 9.2.3 and it fails to start with the same error.
Next I started removing custom parts of my config and ended up finding this single processor that worked in 9.2.2 but throws this error in 9.2.3
- script:
when.and:
- equals.auditd.message_type: syscall
- has_fields: ['event.original']
type: javascript
lang: javascript
id: parse_syscall_kvs
source: >
function process(event) {
var original = event.Get("event.original");
if (!original) return;
for (var i = 0; i < original.length; i++) {
var line = original[i];
if (line.indexOf("type=SYSCALL") === 0) {
var parts = line.split(":", 3);
if (parts.length < 3) return;
var kvString = parts[2].replace(/^\s+/, '');
var pairs = kvString.split(" ");
var result = {};
for (var j = 0; j < pairs.length; j++) {
var kv = pairs[j].split("=");
if (kv.length == 2) {
var key = kv[0];
var value = kv[1].replace(/^"|"$/g, ""); // Remove surrounding quotes
result[key] = value;
}
}
event.Put("auditd.syscall", result);
break;
}
}
}
{
"log.level": "error",
"@timestamp": "2025-12-18T17:17:23.744-0600",
"log.origin": {
"function": "github.com/elastic/beats/v7/libbeat/cmd/instance.handleError",
"file.name": "instance/beat.go",
"file.line": 1364
},
"message": "Exiting: failed setting paths for global processors: attempt to set paths twice",
"service.name": "auditbeat",
"ecs.version": "1.6.0"
}
Version:
auditbeat version 9.2.3 (amd64), libbeat 9.2.3 [b95cc76490c9bb4184f98e0094be4af14b5d7bd2 built 2025-12-16 08:47:58 +0000 UTC] (FIPS-distribution: false)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.