New issue with auditbeat v9.2.3: attempt to set paths twice

[gwsales]

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

• Version: 9.2.3
• Operating System: ubuntu 22.04 LTS
• Discuss Forum URL: https://discuss.elastic.co/t/auditbeat-javascript-processor-error-with-v9-2-3/384188
• Steps to Reproduce: Processor listed below

Setting up auditbeat on a new host encountered an error with a config I know works. Went to a host running 9.2.2 with the same config running and everything was working fine, ran apt upgrade to version 9.2.3 and it fails to start with the same error.

Next I started removing custom parts of my config and ended up finding this single processor that worked in 9.2.2 but throws this error in 9.2.3

  - script:
      when.and:
        - equals.auditd.message_type: syscall
        - has_fields: ['event.original']
      type: javascript
      lang: javascript
      id: parse_syscall_kvs
      source: >
        function process(event) {
          var original = event.Get("event.original");
          if (!original) return;

          for (var i = 0; i < original.length; i++) {
            var line = original[i];
            if (line.indexOf("type=SYSCALL") === 0) {
              var parts = line.split(":", 3);
              if (parts.length < 3) return;

              var kvString = parts[2].replace(/^\s+/, '');
              var pairs = kvString.split(" ");
              var result = {};
              for (var j = 0; j < pairs.length; j++) {
                var kv = pairs[j].split("=");
                if (kv.length == 2) {
                  var key = kv[0];
                  var value = kv[1].replace(/^"|"$/g, ""); // Remove surrounding quotes
                  result[key] = value;
                }
              }
              event.Put("auditd.syscall", result);
              break;
            }
          }
        }

{
  "log.level": "error",
  "@timestamp": "2025-12-18T17:17:23.744-0600",
  "log.origin": {
    "function": "github.com/elastic/beats/v7/libbeat/cmd/instance.handleError",
    "file.name": "instance/beat.go",
    "file.line": 1364
  },
  "message": "Exiting: failed setting paths for global processors: attempt to set paths twice",
  "service.name": "auditbeat",
  "ecs.version": "1.6.0"
}

Version:

auditbeat version 9.2.3 (amd64), libbeat 9.2.3 [b95cc76490c9bb4184f98e0094be4af14b5d7bd2 built 2025-12-16 08:47:58 +0000 UTC] (FIPS-distribution: false)

[andrewkroh]

@orestisfl, could this be related to #47870 ?

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[gwsales]

I also could have wrote a really terrible processor, I only use this for testing auditd rule filters but this was working in v8 through v9.2.2.

[pierrehilbert]

Hey @gwsales,
Thanks for raising this issue. FYI, @orestisfl is currently investigating what's happening to work on a fix.

[orestisfl]

Unfortunately #47846 that fixed this issue for main missed the backport labels 🤦

[gwsales]

Without the backport label, how long will it take for this to be patched?

[pierrehilbert]

Sorry for the delay but @orestisfl and I were both in PTOs.
The backport PR is not merged yet but we should be able to have a patched version before mid-January.

[orestisfl]

Backport is merged.

[gwsales]

Can we reopen this issue. Testing with auditbeat version 9.2.4 I have the same issue.