the fact that you re seeing that indicates either extremely

Question

the fact that you re seeing that indicates either extremely high disk activity we re reading from a ring buffer or a bug in the NTFS journal reader which might be possible if they changed formats underneath us

seph · Answer

There s a ticket about this can you dump this great summery into it

yossarian · Answer

yep

yossarian · Answer

could you link the ticket i don t see it with a quick search might just be missing it

seph · Answer

<https github com osquery osquery issues 5848> i added ntfs to the subject since searching for it is impossible

seph · Answer

Feel free to make it saner

yossarian · Answer

thanks

yossarian · Answer

actually that s a slightly different bug sweat smile sometimes FRN to path mapping fails maybe also because of high I O load but the failure that he s seeing is caused by record to previous record mapping

yossarian · Answer

i ll create a new issue tracking it

yossarian · Answer

opened as <https github com osquery osquery issues 7195>