Osquery Manager Feedback

Aitor · December 2, 2021, 8:05pm

Hi there,

I have installed osquery manager and I am not able to do live queries from the fleet elastic cloud instance (v 7.15.2). I always get the message: "2 agents have responded, no osquery data has been reported" when I do a test query such as select * from users;

On the servers I can run queries on osqueryi and also run scheduled queries. I installed the elastic agent with the standard configuration, as shown in here: https://docs.elastic.co/en/integrations/osquery

I am getting this error in the elastic agent log:

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc062660d0116a9fb, ext:165072229178976, loc:(*time.Location)(0x55f2913c0820)}, Meta:{"raw_index":"logs-osquery_manager.result-default"}, Fields:{"action_data":{"id":"84682784-1696-436d-b340-086dd65238a4","query":"select * from users;"},"action_id":"71cbeda5-8b3b-4666-8e4c-041e500f9396","agent":{"ephemeral_id":"00e2eb3a-96e9-424b-8f55-bae62f6123cd","hostname”:”xxxxxxxxxxxxxx”,”id":"a1e9f3ea-8644-4f87-8436-39b24dee337d","name”:”xxxxxxxxx”,”type":"osquerybeat","version":"7.15.2"},"ecs":{"version":"1.11.0"},"elastic_agent":{"id":"a1e9f3ea-8644-4f87-8436-39b24dee337d","snapshot":false,"version":"7.15.2"},"event":{"module":"osquery_manager"},"host":

Let me know how should I proceed.

Thanks

aleksmaus · December 3, 2021, 3:21pm

It's difficult to say what is going on, this error from libbeat publisher is very generic.
Did you change the namespace for integration from default to something else?
One of the known issues with 7.15.x was that the namespace has to default, because the ad-hoc queries post data to the default namespace only. If you change it to something else the agent/osquerybeat will not have permissions to access the 'default' datastream.
This particular problem is addressed with 7.16 release.

You also refer to https://docs.elastic.co/en/integrations/osquery while the log shows that you actually use https://docs.elastic.co/en/integrations/osquery_manager.

Could you check the policy permissions section? maybe attach it here (minus any sensitive info)?
Anything in Elasticsearch log around that time?

Aitor · December 3, 2021, 6:09pm

Hi Aleksandr,

Thanks for your feedback. The problem was with the namespace of the integration (osquery manager) which was not set to 'default', after changing it the issue got resolved.

Thanks

system · December 31, 2021, 6:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OSQuery Live Queries don't go through Elastic Security fleet , osquery-manager	15	3258	July 15, 2021
No Result from osquery elastic agent 7.14.0 Beats elastic-agent , osquery-manager	13	1918	March 31, 2022
Osquery has results but not displaying them Elastic Security osquery-manager	3	430	July 17, 2023
Osquery Live queries: windows endpoints not responding 'action undefined' Beats elastic-agent , osquery-manager	8	1389	March 7, 2022
Elastic-agent osquery through logstash doesn't work Elastic Agent fleet	4	497	September 22, 2022

Osquery Manager Feedback

Related topics