You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For some reason, on Ubuntu 18.04 a failed SSH login attempt leads to two identical entries (including the same timestamp) being written into /var/log/btmp. I don't know why this is, it could be that somewhere in the chain of login logic two parts decide to write the same entry. This is easy for a human to recognize, but it can lead to inaccurate aggregation results on the Elasticsearch/Kibana side (e.g. for total number of failed login attempts).
This is a follow-up to #10865. From the discussion there we seem to be leaning towards de-duplicating on the Beats side if possible.
The text was updated successfully, but these errors were encountered:
@jsoriano I don't remember to be honest, but I don't think I made any changes to the PAM configuration or did anything unusual. I dimly remember that maybe it didn't happen for all login types (I at least tested password-based SSH login, key-based SSH login, and running login on the command line).
For some reason, on Ubuntu 18.04 a failed SSH login attempt leads to two identical entries (including the same timestamp) being written into
/var/log/btmp
. I don't know why this is, it could be that somewhere in the chain of login logic two parts decide to write the same entry. This is easy for a human to recognize, but it can lead to inaccurate aggregation results on the Elasticsearch/Kibana side (e.g. for total number of failed login attempts).This is a follow-up to #10865. From the discussion there we seem to be leaning towards de-duplicating on the Beats side if possible.
The text was updated successfully, but these errors were encountered: