Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Osquery] Live Queries in Osquery do not display results, show "pending" then "expired" #183142

Open
p1kusmie opened this issue May 10, 2024 · 1 comment
Open

[Osquery] Live Queries in Osquery do not display results, show "pending" then "expired" #183142

p1kusmie opened this issue May 10, 2024 · 1 comment
Labels
bug Fixes for quality problems that affect the customer experience Team:Defend Workflows “EDR Workflows” sub-team of Security Solution

Comments

@p1kusmie
Copy link

p1kusmie commented May 10, 2024
edited

Kibana version: 8.12.2

Elasticsearch version: 8.12.2

Original install method (e.g. download page, yum, from source, etc.): Docker

**Describe the bug: **
The data returned by osquery is not displayed in Live Queries. Osquery shows a status of "pending" and then "expired", even though the agent returns a response because I can find it in the index ".ds-logs-osquery_manager.result". You can view it by clicking "View in Discover".

Steps to reproduce:

  1. Navigate to Osquery -> Live Queries
  2. Execute a query, for example, SELECT * FROM users;

Screenshots (if relevant):
0
Live queries1
Elastic2
Live queries3

logs:
[2024-05-08T09:57:14.870+02:00][WARN ][plugins.fleet] large amount of default fields detected for index template logs-osquery_manager.result in package osquery_manager, applying the first 1024 fields
[2024-05-08T09:57:28.623+02:00][INFO ][plugins.fleet] Attempt to update the mappings for the logs-osquery_manager.result-abs (write_index_only)
[2024-05-08T09:57:28.631+02:00][INFO ][plugins.fleet] Attempt to update the mappings for the logs-osquery_manager.result-default (write_index_only)
[2024-05-08T09:57:28.730+02:00][INFO ][plugins.fleet] Mappings update for logs-osquery_manager.result-abs failed due to ResponseError: illegal_argument_exception
[2024-05-08T09:57:28.730+02:00][INFO ][plugins.fleet] Triggering a rollover for logs-osquery_manager.result-abs
[2024-05-08T09:57:28.830+02:00][INFO ][plugins.fleet] Mappings update for logs-osquery_manager.result-default failed due to ResponseError: illegal_argument_exception
[2024-05-08T09:57:28.830+02:00][INFO ][plugins.fleet] Triggering a rollover for logs-osquery_manager.result-default
[2024-05-08T09:57:42.950+02:00][ERROR][plugins.fleet] FleetError: error deleting pipeline logs-osquery_manager.result-1.8.4: ResponseError: illegal_argument_exception
illegal_argument_exception: pipeline [logs-osquery_manager.result-1.8.4] cannot be deleted because it is the default pipeline for 4 index(es) including [.ds-logs-osquery_manager.result-abs-2024.03.30-000054,.ds-logsosquery_manager.result-abs-2024.04.29-000056,.ds-logs-osquery_manager.result-default-2024.03.14-000002]
@p1kusmie p1kusmie added the bug Fixes for quality problems that affect the customer experience label May 10, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label May 10, 2024
@lukasolson lukasolson added Team:Defend Workflows “EDR Workflows” sub-team of Security Solution and removed needs-team Issues missing a team label labels May 14, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team:Defend Workflows “EDR Workflows” sub-team of Security Solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukasolson @elasticmachine @p1kusmie