I have a processor defined in the auditd module and seems to be correct based on other posts I have read. No configuration errors and filebeat starts up but I get an error
ERROR instance/beat.go:989 Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: fileset auditd/input is configured but doesn't exist
This seems to be similar to a post found at this link but it did not solve my issue: System module: error when defining syslog.input.processors
Here is my configuration:
# Module: auditd
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.15/filebeat-module-auditd.html
- module: auditd
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/*/audit*"]
input:
processors:
- dissect:
tokenizer: "%{imfile.timestamp} %{related.hosts} %{imfile.tag} %{message}"
field: "message"
target_prefix: ""
overwrite_keys: "true"
Any thoughts on how to resolve this? Where would I look to see if there are processors predefined in the auditd module as noted in the similar post for the system module?
