Elastic Agent Policy is broken when JSON contains numeric string names #4200
Comments
|
Assigning this to myself for now. Will dig some more today. |
|
Changing "numeric" strings to "text" in the input config eliminates the issue: Input: Output: |
|
Thank you @aleksmaus 🙇 |
|
Abbreviated repro case with Output (the length of the array is 13 == 12+1): Not super familiar with and here is where the array |
|
Another unrelated caveat Results in the output: Which is not quite correct, since the it was |
|
the worse case INPUT: RESULT: INPUT: RESULT: |
|
Made some changed in go-ucfg lib in order to address the issues above, PR is open for review. |
|
Testing the change further with the agent and beats. Another place where it breaks is on the beats configuration parsing side: after the agent picked up the "workaround" and sends the correct configuration to the beats, the beats configuration parsing code breaks until go-ucfg and elastic-agent-libs changes are picked up. Beats generates the config here: using So it looks like the final scope of the update, if we start with go-ucfg, would include:
|
|
After applying the change to The incoming configuration is correct: The results from the scheduled query are posted as expected: Another possibly faster fix for osquery specific issue with much smaller change surface it to restrict users from assigning the numeric strings to the query ids. @tomsonpl opened a draft PR here elastic/kibana#176507 Still, any place that allows the numeric keys to be inserted into the policy will introduce this kind of issue. Another possible place for example is the oquery advanced configuration section that allows users to specify the free form JSON configuration for osquery. Another possible approach is to rewrite how incoming map[string]interface{} is parsed into Config so we don't have to work around/fix the current ucfg implementation and possibly break some other users who count on the current behavior, or maybe ditch the ucfg Config altogether. Need some feedback from the agent/beats team here on all the possible consequences of making this change. |
|
ucfg is still used widely enough in our own code (both beats and agent) that fixing the problem there feels correct. Getting rid of uses of go-ucfg in one place doesn't help the other uses of it. I can't imagine anyone is depending on this currently completely broken behavior. |
|
PR against go-ucfg is open elastic/go-ucfg#198. I don't have permissions to set reviewers or any labels there though. |
|
The PR is merged. Need to update the Agent/beats/libs to pick up the version with this change. |
Tested with the latest Agent 8.13.
This is first uncovered with osquery when the users tried to use numbers as query id
elastic/kibana#175421
The incoming policy is correct.
Narrowed it down to to
c, err := config.NewConfigFrom(action.Policy)in PolicyChangeHandlerhttps://github.com/elastic/elastic-agent/blob/main/internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go#L101
Repro code, for example, with JSON extracted from the policy
Result (truncated) looks like this:
Full result is attached, since it doesn't fit into description
result.json
The text was updated successfully, but these errors were encountered: