-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auditbeat fails to retrieve System Module packages dataset when the Installed-Size of a package contains units #17171
Comments
Pinging @elastic/siem (Team:SIEM) |
Any idea about which package is causing this? |
I can reproduce it by faking the size of package:
Now, on starting auditbeat, it will fail with the aforementioned error |
I've created a PR to fix this: #17188 It's likely too late for 7.6.2, but will be backported to 7.7.0. |
Closing via #17188 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Auditbeat info
Issue
It seems Auditbeat gets packages data from
/var/lib/dpkg/status
. In particular, it seems it expects to find inInstalled-size
a number - see code - but some packages report the installed size in that file with units like356K
, so parsing the packages contents throws an error:"failed to get packages: error getting DEB packages: error converting 356K to int: strconv.ParseUint: parsing "356K": invalid syntax"
I could find only an old version of the definition of that field from the debian policy, so I do not know if it is current, which effectively indicates:
The disk space is given as the integer value of the estimated installed size in bytes, divided by 1024 and rounded up.
.However, the previous does not seem to be enforced, since sometimes packages report that value with units. See the following Github issue on the same topic: #16661
The text was updated successfully, but these errors were encountered: