Hi,
I have auditbeat 7.17.8 installed on an RHEL 7 system. RHEL7 rotates out the BTMP file out at the start of every month. So, starting today I am seeing the following message every few seconds in syslog:
May 1 12:44:38 MYHOSTNAME auditbeat[14159]: WARN [login] login/utmp.go:191 saved size or offset illogical (new={Inode:34395525 Path:/var/log/btmp Size:0 Offset:1488768 Type:1}, saved={Inode:34395525 Path:/var/log/btmp Size:0 Offset:1488768 Type:1}) - reading whole file.
Restarting auditbeat didn't resolve this issue, and the current btmp filesize is indeed zero according to 'ls'.
I'm assuming this is a corner case/bug the programmers forgot to account for, but was wondering if anyone had any feedback/thoughts before I opened an issue for it on Github?
Thanks,
- Daniel