diff --git a/x-pack/plugins/osquery/server/plugin.ts b/x-pack/plugins/osquery/server/plugin.ts index d52f177c6ba77..e88ae242a83b4 100644 --- a/x-pack/plugins/osquery/server/plugin.ts +++ b/x-pack/plugins/osquery/server/plugin.ts @@ -17,7 +17,9 @@ import { SavedObjectsClient } from '@kbn/core/server'; import type { DataRequestHandlerContext } from '@kbn/data-plugin/server'; import type { DataViewsService } from '@kbn/data-views-plugin/common'; import { orderBy } from 'lodash'; -import deepequal from 'fast-deep-equal'; +import { asyncForEach } from '@kbn/std'; +import { satisfies } from 'semver'; +import { updatePackage } from '../../fleet/server/services/epm/packages/update'; import type { NewPackagePolicy, UpdatePackagePolicy } from '@kbn/fleet-plugin/common'; import type { PackSavedObjectAttributes } from './common/types'; @@ -46,6 +48,7 @@ import { createDataViews } from './create_data_views'; import { createActionHandler } from './handlers/action'; import { registerFeatures } from './utils/register_features'; +import { key } from 'vega'; export class OsqueryPlugin implements Plugin { private readonly logger: Logger; @@ -140,52 +143,68 @@ export class OsqueryPlugin implements Plugin=1.6.0')) { try { + + this.logger.error('checking for rollover'); + // First get all datastreams matching the pattern. const dataStreams = await esClient.indices.getDataStream({ name: `logs-${OSQUERY_INTEGRATION_NAME}.result-*`, }); + this.logger.error('dataStreams: ' + dataStreams?.data_streams[0]?.name + dataStreams?.data_streams[0]?.name) // Then for each of those datastreams, we need to see if they need to rollover. - await dataStreams.data_streams.forEach(async dataStream => { + await asyncForEach(dataStreams.data_streams, async dataStream => { const mapping = await esClient.indices.getMapping({ index: dataStream.name, }); + const valuesToSort = Object.entries(mapping).map(([key, value]) => { + this.logger.error('key: ' + key + ' value: ' + value.mappings.properties.data_stream.properties.dataset.value); + return {index: key, mapping: value}; + }); + // TODO: This sort doesn't look like its working right now. // Sort by index name to get the latest index - const dataStreamMapping = orderBy(Object.entries(mapping), [0], 'desc')?.[0][1]?.mappings - ?.properties?.data_stream; + const dataStreamMapping = orderBy(valuesToSort, ['index'], 'desc'); + + dataStreamMapping.forEach(value => { + this.logger.error('Sorted value: ' + value.index + ' value: ' + value.mapping.mappings.properties.data_stream.properties.dataset.value); + }) + //?.[0][1]?.mappings?.properties?.data_stream; if ( dataStreamMapping && - deepequal(dataStreamMapping, { - properties: { - dataset: { - type: 'constant_keyword', - value: 'generic', // We can just check for this value most likely. It will signify that an osquery beat wrote the wrong data - }, - namespace: { - type: 'constant_keyword', - value: 'default', // This would need to be datastream specific to make sure it's the right namespace. I think we can drop this comparison and just check dataset above. - }, - type: { - type: 'constant_keyword', - value: 'osquery', - }, - }, - }) - ) - - await esClient.indices.rollover({ - alias: dataStream.name, - }); + dataStreamMapping[0]?.mapping?.mappings?.properties?.data_stream.properties.dataset.value === 'generic' + ) { + this.logger.error(dataStream.name + ' ROLLING OVER....'); + await esClient.indices.rollover({ + alias: dataStream.name, + }); + } else { + this.logger.error(dataStream.name + ' NOT ROLLING OVER....'); + } }); } catch(e) { this.logger.info(e); } + } if (registerIngestCallback) { registerIngestCallback(