Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][auditbeat] Reset file offset when re-reading from the beginning #24414

Merged
merged 1 commit into from Mar 8, 2021
Merged

[fix][auditbeat] Reset file offset when re-reading from the beginning #24414

merged 1 commit into from Mar 8, 2021

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Mar 8, 2021
edited

What does this PR do?

When a utmp file is read and its size is smaller than before (which can be caused by an inode reuse, for example), we have to reset its offset, also, otherwise it will ignore any new events in that file until the size is bigger than its previous value.

Why is it important?

We were missing events in some edge cases.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Logs

The logs of the bug:

2021-03-01T17:16:07.665+1000	WARN	[login]	login/utmp.go:190	Unexpectedly, the file /var/log/wtmp is smaller than before (new: 35712, old: 39552) - reading whole file.
2021-03-01T17:16:07.665+1000	DEBUG	[login]	login/utmp.go:204	Reading file /var/log/wtmp (utmpFile={Inode:14 Path:/var/log/wtmp Size:35712 Offset:39552 Type:0})
2021-03-01T17:16:07.665+1000	DEBUG	[login]	login/utmp.go:279	Saving UTMP file record ({Inode:14 Path:/var/log/wtmp Size:35712 Offset:39552 Type:0})

As you can see, it is reading from an invalid offset and saving it.

2021-03-01T17:16:17.666+1000	DEBUG	[login]	login/utmp.go:204	Reading file /var/log/wtmp (utmpFile={Inode:14 Path:/var/log/wtmp Size:36096 Offset:39552 Type:0})
2021-03-01T17:16:17.666+1000	DEBUG	[login]	login/utmp.go:279	Saving UTMP file record ({Inode:14 Path:/var/log/wtmp Size:36096 Offset:39552 Type:0})
2021-03-01T17:16:17.666+1000	DEBUG	[login]	login/login.go:130	0 new login records.

Subsequent calls still ignore new events even if the size has grown.

@marc-gr marc-gr requested a review from a team as a code owner March 8, 2021 11:11
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 8, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 8, 2021
@marc-gr marc-gr requested a review from a team March 8, 2021 11:11
@marc-gr marc-gr force-pushed the fix-auditbeat-offset branch 2 times, most recently from 0a44e93 to a3712e0 Compare March 8, 2021 11:19
@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 8, 2021
edited by jenkins-beats-ci bot

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #24414 updated

  • Start Time: 2021-03-08T11:45:04.006+0000

  • Duration: 38 min 31 sec

  • Commit: 80e970c

Test stats 🧪

Test Results
Failed 0
Passed 337
Skipped 145
Total 482

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 337
Skipped 145
Total 482

@marc-gr marc-gr force-pushed the fix-auditbeat-offset branch 2 times, most recently from 54529dc to 80e970c Compare March 8, 2021 11:44
adriansr
adriansr approved these changes Mar 8, 2021
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marc-gr marc-gr merged commit 1fd8c4a into elastic:master Mar 8, 2021
@marc-gr marc-gr deleted the fix-auditbeat-offset branch March 8, 2021 13:47
@marc-gr marc-gr mentioned this pull request Mar 8, 2021
Merged
4 tasks
@marc-gr marc-gr added the v7.13.0 label Mar 8, 2021
@marc-gr marc-gr mentioned this pull request Mar 8, 2021
Merged
4 tasks
@marc-gr marc-gr added the v7.11.2 label Mar 8, 2021
@marc-gr marc-gr mentioned this pull request Mar 8, 2021
Merged
4 tasks
@marc-gr marc-gr added the v7.12.0 label Mar 8, 2021
marc-gr added a commit to marc-gr/beats that referenced this pull request Mar 8, 2021
@marc-gr
Reset file offset when re-reading from the beginning (elastic#24414)
c1bd7c9 
(cherry picked from commit 1fd8c4a)
marc-gr added a commit to marc-gr/beats that referenced this pull request Mar 9, 2021
@marc-gr
Reset file offset when re-reading from the beginning (elastic#24414)
7cc892a 
(cherry picked from commit 1fd8c4a)
@leehinman leehinman mentioned this pull request Mar 11, 2021
Merged
3 tasks
marc-gr added a commit that referenced this pull request Mar 15, 2021
@marc-gr
Reset file offset when re-reading from the beginning (#24414) (#24416)
8050589 
(cherry picked from commit 1fd8c4a)
marc-gr added a commit that referenced this pull request Mar 15, 2021
@marc-gr
Reset file offset when re-reading from the beginning (#24414) (#24417)
5d0d7dc 
(cherry picked from commit 1fd8c4a)
marc-gr added a commit to marc-gr/beats that referenced this pull request Mar 15, 2021
@marc-gr
Reset file offset when re-reading from the beginning (elastic#24414)
cd6b1d4 
(cherry picked from commit 1fd8c4a)
marc-gr added a commit that referenced this pull request Mar 15, 2021
@marc-gr
Reset file offset when re-reading from the beginning (#24414) (#24418)
516198a 
(cherry picked from commit 1fd8c4a)
This was referenced Mar 15, 2021
Merged
Merged
Merged
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@marc-gr
Reset file offset when re-reading from the beginning (elastic#24414) (e…
dbbd256 
…lastic#24418)

(cherry picked from commit 74711d2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
bug v7.11.2 v7.12.0 v7.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@marc-gr @elasticmachine @adriansr