-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Osquerybeat: Set the raw index name to suppress the timestamp suffix #26545
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to do anything for upgrades?
the new data will end up in the index without |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
* master: Osquerybeat: set the raw index name to supress the timestamp suffix (elastic#26545) [Heartbeat] add screenshots config to synthetics (elastic#26455) [Elastic Agent] Use http2 to connect to Fleet Server. (elastic#26474) Remove all docs about Beats central management (elastic#26399) update data.json for gcp billing (elastic#26506) Skip x-pack metricbeat tests (elastic#26537) [Elastic Agent] Fix issue with FLEET_CA not being used with Fleet Server in container (elastic#26529) Add changelog entry for elastic#26224 (elastic#26531) Add inttests for the x-pack/metricbeat on a PR/branches basis (elastic#26526) Suppress too many errors (elastic#26224) Fix master's linting issue (elastic#26517) [libbeat] Fix encoding and file offset issues in the disk queue (elastic#26484) Add log_group_name_prefix config option for aws-cloudwatch input (elastic#26187) Update shared-deduplication.asciidoc (elastic#26492) Add Recorded Future support to threatintel module (elastic#26481)
…arwin-arm64 * upstream/master: (295 commits) Update urllib to 1.26.5. (elastic#26380) Update golang.org/x/crypto (elastic#26448) [Filebeat] Update Fortinet Ingest Pipeline (elastic#24816) Move parsers outside of filestream input so others can use them as well (elastic#26541) [Filebeat] Fix `threatintel.indicator.url.full` field not populating (elastic#26508) [Filebeat] Add network direction processor to Zeek and Suricata modules (elastic#24620) Logging code cleanup related to Nomad auto-discovery (elastic#26498) [Metricbeat] Add Couchbase's Sync Gateway module (elastic#25599) Refactor add_cloud_metadata to handle ECS fields easier (elastic#26438) [Elastic Agent] Improper casting of int64 (elastic#26520) [Elastic Agent] Enable configuring monitoring namespace (elastic#26439) [Heartbeat] configure permissions for synthetics config (elastic#26393) Osquerybeat: set the raw index name to supress the timestamp suffix (elastic#26545) [Heartbeat] add screenshots config to synthetics (elastic#26455) [Elastic Agent] Use http2 to connect to Fleet Server. (elastic#26474) Remove all docs about Beats central management (elastic#26399) update data.json for gcp billing (elastic#26506) Skip x-pack metricbeat tests (elastic#26537) [Elastic Agent] Fix issue with FLEET_CA not being used with Fleet Server in container (elastic#26529) Add changelog entry for elastic#26224 (elastic#26531) ...
Thanks for the fix @aleksmaus . I consider the previous behaviour a bug. But there is one issue that we need to communicate to customers now. Using 7.13 Elastic Agent with osquery will not be able to ship data to 7.14 because of the permissions. |
Thank you! Will communicate to our team management. |
What does this PR do?
Set the raw index name to suppress the timestamp suffix
This fixes the issue where the osquerybeat can't create the index for the result data, due to recent permissions tightening in kibana:
Also eliminates the need for special casing for osquerybeat elastic/kibana#103319.
Based on discussion:
https://groups.google.com/a/elastic.co/g/agent-team/c/Syc0bE12aK4/m/uuYWmILkBgAJ
Why is it important?
Fixes the breakage due to permissions tightening in kibana.
Checklist