Scheduled OSQuery Manager Pack queries don't seem to work on fresh installs of ELK 7.16.2 and 7.16.3 (tried 2 completely separate ELK installations, one hosted on Ubuntu 20.04 with TLS+cert, one on Windows 11 unsecure, both basic license on a self-managed install, which should be supported?).
OSQuery Live queries work fine in both. Regular integrations (metrics/logs) work fine too. Even the host metrics monitoring done by osquery agent works and agent logs (EA & OSQ agent) show no obvious issue. But a simple Pack query like 'select * from programs' produces no results.
Am I missing something? I can't find the solution in the documentation. Nor do I find an open or closed relevant issue on Kibana github. I've ruled out the older (resolved?) issue of OSQuery Manager not supporting other namespaces than 'default' yet. I've tested most relevant cfg variations. The 'Last results' column of the Pack always stays empty and my query results never show in logs-* or metrics-*.
It seems there is a configuration issue. Below the resulting cfg of the used Default policy.
Are others experiencing the same? Should a bug be reported?
d: 2016d7cc-135e-5583-9758-3ba01f5a06e5
revision: 16
outputs:
default:
type: elasticsearch
hosts:
- 'http://192.168.1.11:9200'
output_permissions:
default:
_elastic_agent_monitoring:
indices:
- names:
- logs-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
_elastic_agent_checks:
cluster:
- monitor
osquery_manager-1:
indices:
- names:
- logs-osquery_manager.result-default
privileges:
- auto_configure
- create_doc
agent:
monitoring:
enabled: true
use_output: default
namespace: default
logs: true
metrics: false
inputs:
- id: 2d3f76c0-1186-4be5-a517-dff529ac11fa
name: osquery_manager-1
revision: 5
type: osquery
use_output: default
meta:
package:
name: osquery_manager
version: 0.8.0
data_stream:
namespace: default
osquery:
packs:
test:
queries:
'321':
query: select * from programs
interval: 5
version: 2.11.0
ecs_mapping: {}
fleet:
hosts:
- 'http://192.168.1.11:8220'