From ab9c374dda5febfcd7272ea79dc0e34c021732fb Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Thu, 12 Jan 2023 12:13:14 -0500 Subject: [PATCH 1/2] Osquerybeat: Fix data_stream configuration, enforce the default values used before 8.6.0 --- x-pack/osquerybeat/cmd/root.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/x-pack/osquerybeat/cmd/root.go b/x-pack/osquerybeat/cmd/root.go index 45c10c098525..26c99a43cf85 100644 --- a/x-pack/osquerybeat/cmd/root.go +++ b/x-pack/osquerybeat/cmd/root.go @@ -23,6 +23,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/libbeat/include" "github.com/elastic/beats/v7/x-pack/osquerybeat/beater" + "github.com/elastic/beats/v7/x-pack/osquerybeat/internal/config" "github.com/elastic/beats/v7/x-pack/osquerybeat/internal/install" ) @@ -74,14 +75,30 @@ func genVerifyCmd(_ instance.Settings) *cobra.Command { func osquerybeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) { // Convert to streams, osquerybeat doesn't use streams streams := make([]*proto.Stream, 1) + + // Enforce the datastream dataset and type because the libbeat call to CreateInputsFromStreams + // provides it's own defaults that are breaking the osquery with logstash + // The target datastream for the publisher is expected to be logs-osquery_manager.result- + // while the libebeat management.CreateInputsFromStreams defaults to osquery-generic-default + var datastream *proto.DataStream + if rawIn.GetDataStream() != nil { + // Copy by value and modify dataset and type + ds := *rawIn.GetDataStream() + ds.Dataset = config.DefaultDataset + ds.Type = config.DefaultType + datastream = &ds + } + streams[0] = &proto.Stream{ Source: rawIn.GetSource(), Id: rawIn.GetId(), - DataStream: rawIn.GetDataStream(), + DataStream: datastream, } + rawIn.Streams = streams procs := defaultProcessors() + modules, err := management.CreateInputsFromStreams(rawIn, "osquery", agentInfo, procs...) if err != nil { return nil, fmt.Errorf("error creating input list from raw expected config: %w", err) From b8ef3438c272988643f63eda1fcf8bca94917038 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Thu, 12 Jan 2023 16:12:51 -0500 Subject: [PATCH 2/2] Added changelog entry --- CHANGELOG.next.asciidoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c098a4a1ccc8..b701b26bf863 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -105,6 +105,9 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - Support Oracle-specific connection strings in SQL module {issue}32089[32089] {pull}32293[32293] - Remove deprecated metrics from controller manager, scheduler and proxy {pull}34161[34161] +*Osquerybeat* + +- Fix data_stream configuration, enforce the default values used before 8.6.0. {pull}34246[34246] *Packetbeat*