sort indicies, perform rollover, package update code

elastic · Jan 16, 2023 · 6a6641d · 6a6641d
1 parent 788a1c0
commit 6a6641d
Showing 1 changed file with 44 additions and 25 deletions.
diff --git a/x-pack/plugins/osquery/server/plugin.ts b/x-pack/plugins/osquery/server/plugin.ts
@@ -17,7 +17,9 @@ import { SavedObjectsClient } from '@kbn/core/server';
 import type { DataRequestHandlerContext } from '@kbn/data-plugin/server';
 import type { DataViewsService } from '@kbn/data-views-plugin/common';
 import { orderBy } from 'lodash';
-import deepequal from 'fast-deep-equal';
+import { asyncForEach } from '@kbn/std';
+import { satisfies } from 'semver';
+import { updatePackage } from '../../fleet/server/services/epm/packages/update';
 
 import type { NewPackagePolicy, UpdatePackagePolicy } from '@kbn/fleet-plugin/common';
 import type { PackSavedObjectAttributes } from './common/types';
@@ -46,6 +48,7 @@ import { createDataViews } from './create_data_views';
 import { createActionHandler } from './handlers/action';
 
 import { registerFeatures } from './utils/register_features';
+import { key } from 'vega';
 
 export class OsqueryPlugin implements Plugin<OsqueryPluginSetup, OsqueryPluginStart> {
   private readonly logger: Logger;
@@ -140,52 +143,68 @@ export class OsqueryPlugin implements Plugin<OsqueryPluginSetup, OsqueryPluginSt
         await this.initialize(core, dataViewsService);
       }
 
+      // TODO: This package update isn't working as I thought it would right now.
+      if (packageInfo && satisfies(packageInfo?.version ?? '', '<1.6.0')) {
+        this.logger.error('updating osquery_manager package');
+        try {
+          const updatedPackageInfo = await updatePackage({savedObjectsClient: client, pkgName: 'osquery_manager', keepPoliciesUpToDate: false});
+          this.logger.error('updated package info: ' + updatedPackageInfo.version);
+        } catch (e) {
+          this.logger.error(e);
+        }
+      } else {
+        this.logger.error('not updating package');
+      }
+
+      if(satisfies(packageInfo?.version ?? '', '>=1.6.0')) {
       try {
 
+
+        this.logger.error('checking for rollover');
+
         // First get all datastreams matching the pattern.
         const dataStreams = await esClient.indices.getDataStream({
           name: `logs-${OSQUERY_INTEGRATION_NAME}.result-*`,
         });
 
+        this.logger.error('dataStreams: ' + dataStreams?.data_streams[0]?.name + dataStreams?.data_streams[0]?.name)
         // Then for each of those datastreams, we need to see if they need to rollover.
-        await dataStreams.data_streams.forEach(async dataStream => {
+        await asyncForEach(dataStreams.data_streams, async dataStream => {
           const mapping = await esClient.indices.getMapping({
             index: dataStream.name,
           });
 
+          const valuesToSort = Object.entries(mapping).map(([key, value]) => {
+            this.logger.error('key: ' + key + ' value: ' + value.mappings.properties.data_stream.properties.dataset.value);
+            return {index: key, mapping: value};
+          });
+
           // TODO: This sort doesn't look like its working right now.
           // Sort by index name to get the latest index
-          const dataStreamMapping = orderBy(Object.entries(mapping), [0], 'desc')?.[0][1]?.mappings
-          ?.properties?.data_stream;
+          const dataStreamMapping = orderBy(valuesToSort, ['index'], 'desc');
+
+          dataStreamMapping.forEach(value => {
+            this.logger.error('Sorted value: ' + value.index + ' value: ' + value.mapping.mappings.properties.data_stream.properties.dataset.value);
+          })
+          //?.[0][1]?.mappings?.properties?.data_stream;
 
           if (
             dataStreamMapping &&
-            deepequal(dataStreamMapping, {
-              properties: {
-                dataset: {
-                  type: 'constant_keyword',
-                  value: 'generic',  // We can just check for this value most likely.  It will signify that an osquery beat wrote the wrong data
-                },
-                namespace: {
-                  type: 'constant_keyword',
-                  value: 'default',  // This would need to be datastream specific to make sure it's the right namespace.  I think we can drop this comparison and just check dataset above.
-                },
-                type: {
-                  type: 'constant_keyword',
-                  value: 'osquery',
-                },
-              },
-            })
-          )
-
-          await esClient.indices.rollover({
-            alias: dataStream.name,
-          });
+            dataStreamMapping[0]?.mapping?.mappings?.properties?.data_stream.properties.dataset.value === 'generic'
+          ) {
+            this.logger.error(dataStream.name + ' ROLLING OVER....');
+            await esClient.indices.rollover({
+              alias: dataStream.name,
+            });
+          } else {
+            this.logger.error(dataStream.name + ' NOT ROLLING OVER....');
+          }
 
         });
       } catch(e) {
         this.logger.info(e);
       }
+    }
 
       if (registerIngestCallback) {
         registerIngestCallback(