Multiple events from system module login dataset

Been running auditbeat in my test environment for a while.

I notice that auditbeat indexes the same login event more than once (between 5 to 10times) for every logon or logout.

Auditbeat Version: auditbeat version 6.7.0 (amd64), libbeat 6.7.0
Linux Version: Linux 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Issue: Duplicate indexed event for the same /var/log/wtmp log

There is 1 entry for the event in the login database:
sudo last -f "/var/log/wtmp"

login module config

- module: system
    - login
  period: 1h
  state.period: 24h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp
  login.btmp_file_pattern: /var/log/btmp

Multiple login events indexed for the same @timestamp in the wtmp log

Thanks @olatunde.tokun - that's indeed a bug. I've already merged a fix ( - the backport to versions 6.x and 7.x should be around the corner.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.