Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Cherry-pick #12591 to 7.2: Host: Fix reboot detection logic #12594

Merged
merged 1 commit into from
Jun 18, 2019
Merged

[Auditbeat] Cherry-pick #12591 to 7.2: Host: Fix reboot detection logic #12594

merged 1 commit into from
Jun 18, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Jun 18, 2019

Cherry-pick of PR #12591 to 7.2 branch. Original message:

On Windows, BootTime is not fully accurate and can vary by a few milliseconds (see Remarks for GetTickCount64). This causes a lot of false positive event.action: reboot events.

This PR changes to only report a reboot if the new BootTime is at least 1 second after the old. This should fix Windows and not affect the other platforms, assuming it's impossible to reboot a system twice in 1 second.

[Auditbeat] Host: Fix reboot detection logic (elastic#12591)
3c2ec5c 
On Windows, `BootTime` is not fully accurate and can vary by a few milliseconds. This causes a lot of false positive `event.action: reboot` events.

This changes to only report a reboot if the new `BootTime` is at least 1 second after the old. This should fix Windows and not affect the other platforms, assuming it's impossible to reboot a system twice in 1 second.

(cherry picked from commit 9d73bdc)
@cwurm cwurm requested a review from a team as a code owner June 18, 2019 10:08
@cwurm cwurm changed the title Cherry-pick #12591 to 7.2: [Auditbeat] Host: Fix reboot detection logic [Auditbeat] Cherry-pick #12591 to 7.2: Host: Fix reboot detection logic Jun 18, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@cwurm cwurm requested a review from adriansr June 18, 2019 10:08
@cwurm cwurm merged commit 7713063 into elastic:7.2 Jun 18, 2019
@cwurm cwurm deleted the backport_12591_7.2 branch June 18, 2019 12:58
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
[Auditbeat] Cherry-pick elastic#12591 to 7.2: Host: Fix reboot detect…
72dda04 
…ion logic (elastic#12594)

On Windows, `BootTime` is not fully accurate and can vary by a few milliseconds. This causes a lot of false positive `event.action: reboot` events.

This changes to only report a reboot if the new `BootTime` is at least 1 second after the old. This should fix Windows and not affect the other platforms, assuming it's impossible to reboot a system twice in 1 second.

(cherry picked from commit 4c44828)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
Auditbeat backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwurm @elasticmachine @adriansr