For some reason, on Ubuntu 18.04 a failed SSH login attempt leads to two identical entries (including the same timestamp) being written into /var/log/btmp. I don't know why this is, it could be that somewhere in the chain of login logic two parts decide to write the same entry. This is easy for a human to recognize, but it can lead to inaccurate aggregation results on the Elasticsearch/Kibana side (e.g. for total number of failed login attempts).
This is a follow-up to #10865. From the discussion there we seem to be leaning towards de-duplicating on the Beats side if possible.
For some reason, on Ubuntu 18.04 a failed SSH login attempt leads to two identical entries (including the same timestamp) being written into
/var/log/btmp. I don't know why this is, it could be that somewhere in the chain of login logic two parts decide to write the same entry. This is easy for a human to recognize, but it can lead to inaccurate aggregation results on the Elasticsearch/Kibana side (e.g. for total number of failed login attempts).This is a follow-up to #10865. From the discussion there we seem to be leaning towards de-duplicating on the Beats side if possible.