Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Osquerybeat: Add support for input/integration level osquery platform/version/discovery configuration #27233

Merged
merged 1 commit into from
Aug 9, 2021
Merged

Osquerybeat: Add support for input/integration level osquery platform/version/discovery configuration #27233

merged 1 commit into from
Aug 9, 2021

Conversation

aleksmaus
Copy link
Member

@aleksmaus aleksmaus commented Aug 4, 2021
edited
Loading

What does this PR do?

Add support for input/integration level osquery platform/version/discovery configuration.
This allows to map the integration configuration to the osquery packs 1:1.
The platform and version constraints at the input level had to have a different name currently in order to avoid these values to be injected in every stream instead, that's why the names are iplatform and iversion as abbreviation for the input platform and the input version.

This change requires the updated osquery_manager integration elastic/integrations#1441
and is also couple of more fixes on kibana side:

  1. kibana needs to be able to create integration configuration with empty vars, currently it returns error when you try to add updated osquery_manager integration into the policy.
  2. the configuration page for osquery maanger needs to remove compiled_input from the payload from the input request payload when updating the integrations configurations

This change can be merged before the work mentioned above, the new constraints just would get propagated with the the policy and would not apply to the osquery configuration without those changes.

Here is an example of the request payload with the new constraints:

{
    "name": "osquery_manager-1",
    "description": "",
    "policy_id": "548a3940-df4e-11eb-8fdd-b98cebb63257",
    "namespace": "default",
    "inputs": [
        {
            "type": "osquery",
            "enabled": true,
            "streams": [
                {
                    "data_stream": {
                        "type": "logs",
                        "dataset": "osquery_manager.result"
                    },
                    "id": "osquery-osquery_manager.result-ce361ed0-559c-4549-a71c-c48dd64a12d3",
                    "vars": {
                        "query": {
                            "type": "text",
                            "value": "select * from users limit 5"
                        },
                        "interval": {
                            "type": "integer",
                            "value": "60"
                        },
                        "id": {
                            "type": "text",
                            "value": "users"
                        }
                    },
                    "enabled": true
                }
            ],
            "policy_template": "osquery_manager",
            "vars": {
                "iplatform": {
                    "type": "text",
                    "value": "posix"
                },
                "discovery": {
                    "type": "text",
                    "value": [
                        "SELECT pid FROM processes WHERE name = 'osquerybeat';",
                        "SELECT 1 FROM users WHERE username like 'amau%';"
                    ]
                },
                "iversion": {
                    "type": "text",
                    "value": "4.7.0"
                }
            }
        }
    ],
    "enabled": true,
    "output_id": "",
    "package": {
        "name": "osquery_manager",
        "title": "Osquery Manager",
        "version": "0.5.1"
    }
}

Here is the screenshot of the policy configuration with the new input level constraints
Screen Shot 2021-08-04 at 8 38 20 AM

Why is it important?

This is needed in order to support the osquery packs further configuration options.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • have added tests that prove my fix is effective or that my feature works

Related issues

Special thanks to @nchaulet for working with me yesterday through undocumented obstacles of integration package changes and kibana errors.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 4, 2021
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 4, 2021
@aleksmaus aleksmaus added backport-v7.15.0 Automated backport with mergify backport-v7.16.0 Automated backport with mergify needs_team Indicates that the issue/PR needs a Team:* label labels Aug 4, 2021
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 4, 2021
@botelastic
Copy link

botelastic bot commented Aug 4, 2021

This pull request doesn't have a Team:<team> label.

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-08-04T14:03:40.624+0000

  • Duration: 52 min 4 sec

  • Commit: 41e8f66

Test stats 🧪

Test Results
Failed 0
Passed 3656
Skipped 0
Total 3656

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 3656
Skipped 0
Total 3656

@aleksmaus aleksmaus merged commit 75ed47c into elastic:master Aug 9, 2021
mergify bot pushed a commit that referenced this pull request Aug 9, 2021
@aleksmaus
Osquerybeat: Add support for input/integration level osquery platform…
a6e9c37 
…/version/discovery configuration (#27233)

(cherry picked from commit 75ed47c)
@mergify mergify bot mentioned this pull request Aug 9, 2021
Merged
aleksmaus added a commit that referenced this pull request Aug 9, 2021
@mergify @aleksmaus
Osquerybeat: Add support for input/integration level osquery platform…
1a8d072 
…/version/discovery configuration (#27233) (#27281)

(cherry picked from commit 75ed47c)

Co-authored-by: Aleksandr Maus <aleksandr.maus@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scunningham scunningham scunningham approved these changes

@urso urso urso approved these changes

@nchaulet nchaulet Awaiting requested review from nchaulet

@blakerouse blakerouse Awaiting requested review from blakerouse

@patrykkopycinski patrykkopycinski Awaiting requested review from patrykkopycinski

Assignees
No one assigned
Labels
backport-v7.15.0 Automated backport with mergify backport-v7.16.0 Automated backport with mergify enhancement Team:Asset Mgt
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aleksmaus @elasticmachine @urso @scunningham