New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix][auditbeat] Reset file offset when re-reading from the beginning #24414
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
0a44e93
to
a3712e0
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
54529dc
to
80e970c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
(cherry picked from commit 1fd8c4a)
(cherry picked from commit 1fd8c4a)
(cherry picked from commit 1fd8c4a)
…lastic#24418) (cherry picked from commit 74711d2)
What does this PR do?
When a
utmp
file is read and its size is smaller than before (which can be caused by an inode reuse, for example), we have to reset its offset, also, otherwise it will ignore any new events in that file until the size is bigger than its previous value.Why is it important?
We were missing events in some edge cases.
Checklist
- [ ] I have made corresponding changes to the documentation- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Logs
The logs of the bug:
As you can see, it is reading from an invalid offset and saving it.
Subsequent calls still ignore new events even if the size has grown.