the fact that you're seeing that indicates either ...
# generaly
yossarian
07/13/2021, 7:32 PMthe fact that you're seeing that indicates either extremely high disk activity (we're reading from a ring buffer) or a bug in the NTFS journal reader, which might be possible if they changed formats underneath us
s
seph
07/13/2021, 8:43 PM
There's a ticket about this... can you dump this great summery into it?
y
yossarian
07/13/2021, 9:53 PMyep!
yossarian
07/13/2021, 9:54 PMcould you link the ticket? i don't see it with a quick search, might just be missing it...
s
seph
07/13/2021, 9:58 PM
https://github.com/osquery/osquery/issues/5848 i added ntfs to the subject, since searching for it is impossible
seph
07/13/2021, 9:59 PM
Feel free to make it saner
y
yossarian
07/14/2021, 1:52 PMthanks!
yossarian
07/14/2021, 1:54 PMactually, that's a slightly different bug 😅 -- sometimes FRN-to-path mapping fails (maybe also because of high I/O load), but the failure that he's seeing is caused by record-to-previous-record mapping
yossarian
07/14/2021, 1:54 PMi'll create a new issue tracking it
yossarian
07/14/2021, 6:49 PM👍 1
5 Views