This comes from rotating logs by logrotate, which will backup a log sequentially and touch a new logfile. This pretty much fsck's over the previously stored signatures.
A solution could be to exclude all logfiles from examination except wtmp. These logfiles even tho some might be security related are not tampered the way wtmp/utmp are when someone wants to cover up gaining root.
Wtmp could be checked IMO with chkwtmp from
chrootkit.
If you want to hold on to full coverage examination another strategy could be running different signature databases on different filesystem selections at different times.
HTH