Event id processor fails to start service

Elastic Stack Beats
1

I'm trying to follow the configuration that is detailed on this page - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html.

I am running winlogbeat version 6.2.3

I have the following in my config:

  • name: Security
    event_id: ...
    processors:
    • drop_event.when.not.or:
      • equals.event_id: 4625
      • equals.event_id: 4767
      • equals.event_id: 4741
      • equals.event_id: 4720
      • equals.event_id: 662
      • equals.event_id: 4758
      • equals.event_id: 4743
      • equals.event_id: 4729
      • equals.event_id: 4756
      • equals.event_id: 4742
      • equals.event_id: 5137
      • equals.event_id: 631
      • equals.event_id: 635
      • equals.event_id: 658
      • equals.event_id: 4727
      • equals.event_id: 4730
      • equals.event_id: 4726
      • equals.event_id: 4624
      • equals.event_id: 4732
      • equals.event_id: 4757
      • equals.event_id: 5136
      • equals.event_id: 4731
      • equals.event_id: 4754
      • equals.event_id: 634
      • equals.event_id: 638
      • equals.event_id: 4734
      • equals.event_id: 630
      • equals.event_id: 4728
      • equals.event_id: 4733
      • equals.event_id: 4740
      • equals.event_id: 5141
        ignore_older: 72h

This is the error I receive when testing the config:

.\winlogbeat.exe test config -c .\winlogbeat.yml

Exiting: Failed to create new event log. 1 error: Invalid event log key 'processors' found. Valid keys are api, batch_read_size, event_id, fields, fields_under_root, forwarded, ignore_older, include_xml, level, name, provider, tags

What am I missing that is causing this to not work correctly?

2

Looks like its a bug!
Would be great to include that in either the specific documentation for 6.2 or the release notes for 6.3.

Also documentation shouldn't include "event_id: ..."
Fails with "Exiting: Failed to create new event log. 1 error: invalid event ID query component ('...')"

This is not correct and should include something that actually works.

3

I'm working on fixes for both issues.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.