Auditbeat btmp file monitoring glitch (saved size or offset illogical)


I have auditbeat 7.17.8 installed on an RHEL 7 system. RHEL7 rotates out the BTMP file out at the start of every month. So, starting today I am seeing the following message every few seconds in syslog:

May 1 12:44:38 MYHOSTNAME auditbeat[14159]: WARN [login] login/utmp.go:191 saved size or offset illogical (new={Inode:34395525 Path:/var/log/btmp Size:0 Offset:1488768 Type:1}, saved={Inode:34395525 Path:/var/log/btmp Size:0 Offset:1488768 Type:1}) - reading whole file.

Restarting auditbeat didn't resolve this issue, and the current btmp filesize is indeed zero according to 'ls'.

I'm assuming this is a corner case/bug the programmers forgot to account for, but was wondering if anyone had any feedback/thoughts before I opened an issue for it on Github?


 - Daniel

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.