OSQuery Manager Pack scheduled queries not executed on ELK 7.16.2 and 7.16.3?

Elastic Stack Kibana
1

Scheduled OSQuery Manager Pack queries don't seem to work on fresh installs of ELK 7.16.2 and 7.16.3 (tried 2 completely separate ELK installations, one hosted on Ubuntu 20.04 with TLS+cert, one on Windows 11 unsecure, both basic license on a self-managed install, which should be supported?).

OSQuery Live queries work fine in both. Regular integrations (metrics/logs) work fine too. Even the host metrics monitoring done by osquery agent works and agent logs (EA & OSQ agent) show no obvious issue. But a simple Pack query like 'select * from programs' produces no results.

Am I missing something? I can't find the solution in the documentation. Nor do I find an open or closed relevant issue on Kibana github. I've ruled out the older (resolved?) issue of OSQuery Manager not supporting other namespaces than 'default' yet. I've tested most relevant cfg variations. The 'Last results' column of the Pack always stays empty and my query results never show in logs-* or metrics-*.

It seems there is a configuration issue. Below the resulting cfg of the used Default policy.

Are others experiencing the same? Should a bug be reported?

d: 2016d7cc-135e-5583-9758-3ba01f5a06e5
revision: 16
outputs:
  default:
    type: elasticsearch
    hosts:
      - 'http://192.168.1.11:9200'
output_permissions:
  default:
    _elastic_agent_monitoring:
      indices:
        - names:
            - logs-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
    _elastic_agent_checks:
      cluster:
        - monitor
    osquery_manager-1:
      indices:
        - names:
            - logs-osquery_manager.result-default
          privileges:
            - auto_configure
            - create_doc
agent:
  monitoring:
    enabled: true
    use_output: default
    namespace: default
    logs: true
    metrics: false
inputs:
  - id: 2d3f76c0-1186-4be5-a517-dff529ac11fa
    name: osquery_manager-1
    revision: 5
    type: osquery
    use_output: default
    meta:
      package:
        name: osquery_manager
        version: 0.8.0
    data_stream:
      namespace: default
    osquery:
      packs:
        test:
          queries:
            '321':
              query: select * from programs
              interval: 5
              version: 2.11.0
              ecs_mapping: {}
fleet:
  hosts:
    - 'http://192.168.1.11:8220'
2

Hi @BSL. On first glance, it looks like that scheduled query should work. Do you see any errors in the agent or osquerybeat log files on the agent where the scheduled query is failing to run? For help finding the logs, see the Debug section of the Osquery docs.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.