Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] System module login dataset: De-duplicate login records #10901

Closed
cwurm opened this issue Feb 22, 2019 · 4 comments
Closed

[Auditbeat] System module login dataset: De-duplicate login records #10901

cwurm opened this issue Feb 22, 2019 · 4 comments
Assignees

Comments

@cwurm
Copy link
Contributor

cwurm commented Feb 22, 2019

For some reason, on Ubuntu 18.04 a failed SSH login attempt leads to two identical entries (including the same timestamp) being written into /var/log/btmp. I don't know why this is, it could be that somewhere in the chain of login logic two parts decide to write the same entry. This is easy for a human to recognize, but it can lead to inaccurate aggregation results on the Elasticsearch/Kibana side (e.g. for total number of failed login attempts).

This is a follow-up to #10865. From the discussion there we seem to be leaning towards de-duplicating on the Beats side if possible.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@jsoriano
Copy link
Member

@cwurm how did you reproduce these duplicated entries? I have tried in two different machines and I couldn't see duplications.

@cwurm
Copy link
Contributor Author

cwurm commented Jan 21, 2020

@jsoriano I don't remember to be honest, but I don't think I made any changes to the PAM configuration or did anything unusual. I dimly remember that maybe it didn't happen for all login types (I at least tested password-based SSH login, key-based SSH login, and running login on the command line).

@jlind23
Copy link
Collaborator

jlind23 commented Apr 1, 2022

Backlog grooming: Closing it for now until further activity, can still be reopened if needed.

@jlind23 jlind23 closed this as completed Apr 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants