From 94f84eebeb320d02879fb7ea2c9e67e061a51114 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Fri, 28 Feb 2025 10:26:41 -0800
Subject: [PATCH] [8.17](backport #42356) Increase Osquery max timeout limit to
 24 hours (#42967)

* Increase Osquery max timeout limit to 24 hours (#42356)

Increasing the osquery max query timeout will allow users to run longer running queries that can be done with osquery.

Although osquery only supports running one query at a time, and this may block others from running, it will allow users to decide for themselves if they want to run long-running queries, and opens new use-cases.

(cherry picked from commit 7a48e1507c879a3c291831349c1208fdca1997d1)

* Update CHANGELOG.next.asciidoc

Remove unrelated changes from backported changelog

---------

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 CHANGELOG.next.asciidoc                       | 3 +--
 x-pack/osquerybeat/beater/osquerybeat.go      | 2 +-
 x-pack/osquerybeat/internal/osqdcli/client.go | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b292dccd13e4..5e08fb1b2c68 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -44,8 +44,6 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 - Add action responses data stream, allowing osquerybeat to post action results directly to elasticsearch. {pull}39143[39143]
 
-*Osquerybeat*
-
 
 *Packetbeat*
 
@@ -296,6 +294,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Osquerybeat*
 
+- Increase maximum query timeout to 24 hours {pull}42356[42356]
 
 *Packetbeat*
 
diff --git a/x-pack/osquerybeat/beater/osquerybeat.go b/x-pack/osquerybeat/beater/osquerybeat.go
index 7ed65de2dc69..fa21f7c6d6c5 100644
--- a/x-pack/osquerybeat/beater/osquerybeat.go
+++ b/x-pack/osquerybeat/beater/osquerybeat.go
@@ -46,7 +46,7 @@ const (
 	configurationRefreshIntervalSecs = 60
 
 	osqueryTimeout    = 1 * time.Minute
-	osqueryMaxTimeout = 15 * time.Minute
+	osqueryMaxTimeout = 24 * time.Hour
 )
 
 const (
diff --git a/x-pack/osquerybeat/internal/osqdcli/client.go b/x-pack/osquerybeat/internal/osqdcli/client.go
index ca9ce7905807..fad1e8b33b74 100644
--- a/x-pack/osquerybeat/internal/osqdcli/client.go
+++ b/x-pack/osquerybeat/internal/osqdcli/client.go
@@ -25,7 +25,7 @@ const (
 	defaultTimeout = 1 * time.Minute
 
 	// The longest the query is allowed to run. Since queries are run one at a time, this will block all other queries until this query completes.
-	defaultMaxTimeout     = 15 * time.Minute
+	defaultMaxTimeout     = 24 * time.Hour
 	defaultConnectRetries = 10
 )