Multiple events from system module login dataset

olatunde.tokun · May 8, 2019, 7:26pm

Been running auditbeat in my test environment for a while.

I notice that auditbeat indexes the same login event more than once (between 5 to 10times) for every logon or logout.

Auditbeat Version: auditbeat version 6.7.0 (amd64), libbeat 6.7.0
Linux Version: Linux 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Issue: Duplicate indexed event for the same /var/log/wtmp log

There is 1 entry for the event in the login database:
sudo last -f "/var/log/wtmp"

login module config

- module: system
  datasets:
    - login
  period: 1h
  state.period: 24h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp
  login.btmp_file_pattern: /var/log/btmp

Multiple login events indexed for the same @timestamp in the wtmp log

cwurm · May 8, 2019, 11:23pm

Thanks @olatunde.tokun - that's indeed a bug. I've already merged a fix (https://github.com/elastic/beats/pull/12028) - the backport to versions 6.x and 7.x should be around the corner.

system · May 29, 2019, 11:23pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat login dataset generates xxxx indices Beats auditbeat	1	380	July 24, 2019
Auditbeat collects old data on Linux system Beats auditbeat	1	443	March 10, 2022
Login dataset is not supported on windows Beats elastic-stack-security , auditbeat	2	529	February 14, 2020
Multiple "-module: auditd" stanzas in config file lead to problems Beats auditbeat	1	306	September 18, 2021
Auditbeat 7.11 on Ubuntu doesn't read /var/log/btmp Beats auditbeat	1	593	March 12, 2021

Multiple events from system module login dataset

Related Topics