Osquery Manager Feedback

Aitor · December 2, 2021, 8:05pm

Hi there,

I have installed osquery manager and I am not able to do live queries from the fleet elastic cloud instance (v 7.15.2). I always get the message: "2 agents have responded, no osquery data has been reported" when I do a test query such as select * from users;

On the servers I can run queries on osqueryi and also run scheduled queries. I installed the elastic agent with the standard configuration, as shown in here: https://docs.elastic.co/en/integrations/osquery

I am getting this error in the elastic agent log:

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc062660d0116a9fb, ext:165072229178976, loc:(*time.Location)(0x55f2913c0820)}, Meta:{"raw_index":"logs-osquery_manager.result-default"}, Fields:{"action_data":{"id":"84682784-1696-436d-b340-086dd65238a4","query":"select * from users;"},"action_id":"71cbeda5-8b3b-4666-8e4c-041e500f9396","agent":{"ephemeral_id":"00e2eb3a-96e9-424b-8f55-bae62f6123cd","hostname”:”xxxxxxxxxxxxxx”,”id":"a1e9f3ea-8644-4f87-8436-39b24dee337d","name”:”xxxxxxxxx”,”type":"osquerybeat","version":"7.15.2"},"ecs":{"version":"1.11.0"},"elastic_agent":{"id":"a1e9f3ea-8644-4f87-8436-39b24dee337d","snapshot":false,"version":"7.15.2"},"event":{"module":"osquery_manager"},"host":

Let me know how should I proceed.

Thanks

aleksmaus · December 3, 2021, 3:21pm

It's difficult to say what is going on, this error from libbeat publisher is very generic.
Did you change the namespace for integration from default to something else?
One of the known issues with 7.15.x was that the namespace has to default, because the ad-hoc queries post data to the default namespace only. If you change it to something else the agent/osquerybeat will not have permissions to access the 'default' datastream.
This particular problem is addressed with 7.16 release.

You also refer to https://docs.elastic.co/en/integrations/osquery while the log shows that you actually use https://docs.elastic.co/en/integrations/osquery_manager.

Could you check the policy permissions section? maybe attach it here (minus any sensitive info)?
Anything in Elasticsearch log around that time?

Aitor · December 3, 2021, 6:09pm

Hi Aleksandr,

Thanks for your feedback. The problem was with the namespace of the integration (osquery manager) which was not set to 'default', after changing it the issue got resolved.

Thanks

system · December 31, 2021, 6:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.