-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Osquerybeat: Add action responses data stream #39143
Osquerybeat: Add action responses data stream #39143
Conversation
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not an osquery beat expert but in terms of go code this lgtm. I would vote for a Changelog entry in CHANGELOG.next.asciidoc
}, | ||
} | ||
|
||
for _, tc := range tests { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you use T.Run()
here, it will have some advantages, each test case would be run and return results separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooops, sorry, saw the approval, merged, but missed these comments. Will open a follow up PR to address this.
"count": 1, | ||
"started_at": "2024-04-18T19:39:39.532125Z" | ||
} `), | ||
// "agent_id": "bf3d6036-2260-4bbf-94a3-5ccce0d75d9e", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you could remove agent_id if it's not needed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @aleksmaus 🥇
I looked through the code, and seems logical to me :) However, you know that I do not know go
:) Would you like me to test this within kibana, or you already tested everything?
@tomsonpl @szwarckonrad Please test this with corresponding integration change, that is not merged yet. I will be holding off on integration PR (elastic/integrations#9661) merge for now until you adjust Kibana and confirm that everything works for you as expected. Please reach out on Slack if you have questions. |
…-actions * upstream/main: (313 commits) github-action: delete opentelemetry workflow (elastic#39559) updatecli: move to the .github folder and support for signed commits (elastic#39472) Osquerybeat: Add action responses data stream (elastic#39143) [winlogbeat] performance improvment; avoid rendering event message twice (elastic#39544) Fix the AWS SDK dependencies issue causing the "not found, ResolveEndpointV2" error (elastic#39454) x-pack/filebeat/input/cel: add http metrics collection (elastic#39503) build(deps): bump github.com/elastic/elastic-agent-libs from 0.9.4 to 0.9.7 (elastic#39424) Remove unused env vars from pipelines (elastic#39534) [BK] - Remove osx steps from branch execution (elastic#39552) [BK] - Remove certain steps from running for Branches (elastic#39533) Allow dependabot report BK status checks (elastic#39540) Remove hardcoded module definitions in CI (elastic#39506) Explicitly set DOCKER_PULL, RACE_DETECTOR and TEST_COVERAGE for pipelines (elastic#39510) Fixed pipelines formatting (elastic#39513) Update filebeat pipeline to match Jenkins steps (elastic#39261) Add error check to groupToEvents so we don't blindly add error values (elastic#39404) Remove fields not needed for session view in add_session_view processor (elastic#39500) `aws-s3` input: Split S3 poller and SQS reader into explicit input objects (elastic#39353) ci(jenkins): remove post-build notifications (elastic#39483) [DOCS] Add the `read_pipeline` cluster privilege for winlogbeat and the `auto_configure` index privilege to beats documentation (elastic#38534) ...
Proposed commit message
Add action responses data stream:
logs-osquery_manager.action.responses-default
This allows osquerybeat to post the actions responses directly to elasticsearch and fix the issues with the current the transform job based approach, where the actions results could be lost at scale, and presently there is no better solution to address this at the elasticsearch stack level.
For more details check this ticket:
https://github.com/elastic/security-team/issues/8893
This change is also sets up things to be able to handle client-side processors correctly per stream as needed, the issue ticket https://github.com/elastic/security-team/issues/9041. Kibana side configuration UI needs to be updated in order to support this feature.
This change is backwards compatible and works with the policy before the osquery_manager package update elastic/integrations#9661
The action response document will be sent to
logs-osquery_manager.action.responses-default
only when this new integration package is installed, and theosquery_manager.action.responses
stream becomes available in the policy.Since the results are now posted into the proper
logs-osquery_manager.action.responses-default
datastream, Kibana would need to be adjusted to use it instead of the currently used index.logs-osquery_manager.action.responses-default
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
Full regression tests need to be performed:
The new action responses will be created in the new datastream
Related issues
Screenshots
The new
logs-osquery_manager.action.responses-default
document example: