Open
Description
Documentation links
The timeout info is incorrect in the 8.11 and earlier versions of the following pages:
- https://www.elastic.co/guide/en/kibana/8.11/osquery.html#osquery-run-query (Step 6)
- When update these docs, branch from
8.11and backport to8.5.
- When update these docs, branch from
- https://www.elastic.co/guide/en/security/8.11/alerts-run-osquery.html#osquery-alert-action (Step 5)
- When update these docs, branch from
8.11and backport to8.4.
- When update these docs, branch from
The error status is missing from the list of Osquery query statuses listed in https://www.elastic.co/guide/en/kibana/8.12/osquery.html#osquery-status.
Description
In the pre-8.12 Osquery docs, we need to update the line that tells users that queries will auto-timeout after five minutes, as it’s not entirely correct. Queries will timeout in either of these scenarios:
- Scenario 1: The agent is online and the query takes longer than the default 60 seconds to complete. In this situation, the query status is
error. - Scenario 2: The agent is offline, so the query cannot be completed. In this situation, Osquery waits 5 minutes for the agent to respond. If no response comes back after 5 minutes, the query status is
Failed.
The plan is to document these scenarios in the procedural docs (linked above) and to add the error status to the list of Osquery query statuses.
Which documentation set(s) does this bug apply to?
ESS and serverless
Release version
N/A
Testing environment
N/A