Increase maximum Osquery timeout to 24 hours #207276
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mjwolf
added
the
backport:prev-major
paul-tavares
requested review from
tomsonpl
and removed request for
paul-tavares
mjwolf
force-pushed
the
osquery_increase_timeout
branch
from
6591976 to
4a4b53c
Compare
Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds). 24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time.
mjwolf
force-pushed
the
osquery_increase_timeout
branch
from
4a4b53c to
5fcea2e
Compare
|
Starting backport for target branches: 8.16, 8.17, 8.18, 8.x |
💚 Build Succeeded
Metrics [docs]Page load bundle
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 31, 2025
Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds). 24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time. Relates to elastic/beats#42352. Osquerybeat will also increase its timeout limit to 24h, this change will allow the higher timeout to be set by users in Kibana. (cherry picked from commit 81a57e0)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 31, 2025
Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds). 24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time. Relates to elastic/beats#42352. Osquerybeat will also increase its timeout limit to 24h, this change will allow the higher timeout to be set by users in Kibana. (cherry picked from commit 81a57e0)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 31, 2025
Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds). 24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time. Relates to elastic/beats#42352. Osquerybeat will also increase its timeout limit to 24h, this change will allow the higher timeout to be set by users in Kibana. (cherry picked from commit 81a57e0)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 31, 2025
Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds). 24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time. Relates to elastic/beats#42352. Osquerybeat will also increase its timeout limit to 24h, this change will allow the higher timeout to be set by users in Kibana. (cherry picked from commit 81a57e0)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 31, 2025
# Backport This will backport the following commits from `main` to `8.x`: - [Increase maximum Osquery timeout to 24 hours (#207276)](#207276) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Michael Wolf","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-31T00:18:47Z","message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f","branchLabelMapping":{"^v9.0.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","backport:prev-major"],"title":"Increase maximum Osquery timeout to 24 hours","number":207276,"url":"https://github.com/elastic/kibana/pull/207276","mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207276","number":207276,"mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}}]}] BACKPORT--> Co-authored-by: Michael Wolf <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Jan 31, 2025
# Backport This will backport the following commits from `main` to `8.17`: - [Increase maximum Osquery timeout to 24 hours (#207276)](#207276) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Michael Wolf","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-31T00:18:47Z","message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f","branchLabelMapping":{"^v9.0.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","backport:prev-major"],"title":"Increase maximum Osquery timeout to 24 hours","number":207276,"url":"https://github.com/elastic/kibana/pull/207276","mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207276","number":207276,"mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}}]}] BACKPORT--> Co-authored-by: Michael Wolf <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Jan 31, 2025
# Backport This will backport the following commits from `main` to `8.16`: - [Increase maximum Osquery timeout to 24 hours (#207276)](#207276) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Michael Wolf","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-31T00:18:47Z","message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f","branchLabelMapping":{"^v9.0.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","backport:prev-major"],"title":"Increase maximum Osquery timeout to 24 hours","number":207276,"url":"https://github.com/elastic/kibana/pull/207276","mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207276","number":207276,"mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}}]}] BACKPORT--> Co-authored-by: Michael Wolf <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Jan 31, 2025
# Backport This will backport the following commits from `main` to `8.18`: - [Increase maximum Osquery timeout to 24 hours (#207276)](#207276) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Michael Wolf","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-31T00:18:47Z","message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f","branchLabelMapping":{"^v9.0.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","backport:prev-major"],"title":"Increase maximum Osquery timeout to 24 hours","number":207276,"url":"https://github.com/elastic/kibana/pull/207276","mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207276","number":207276,"mergeCommit":{"message":"Increase maximum Osquery timeout to 24 hours (#207276)\n\nSome Osquery queries are expected to be long running. To accommodate\r\nthis, increase the maximum timeout in the query creation UI to 24 hours\r\n(86400 seconds).\r\n\r\n24 hours should allow most long-running queries, while still having a\r\nlimit that ensures misbehaving queries do not block others for an\r\nextremely long time.\r\n\r\nRelates to elastic/beats#42352. Osquerybeat\r\nwill also increase its timeout limit to 24h, this change will allow the\r\nhigher timeout to be set by users in Kibana.","sha":"81a57e005ed0a6b72a254056813b1c6ee633da1f"}}]}] BACKPORT--> Co-authored-by: Michael Wolf <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds).
24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time.
Relates to elastic/beats#42352. Osquerybeat will also increase its timeout limit to 24h, this change will allow the higher timeout to be set by users in Kibana.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] Documentation was added for features that require explanation or tutorialsrelease_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesIdentify risks
This needs to go with the Beats PR to increase the max timeout in osquerybeat. This should be done by releasing both changes in the same versions (targeting 9.0 and 8.18).
But if it's not done, and Kibana or Beats/Agent do not get the same matching changes, there should be no serious problems. If Kibana isn't changed, it won't be able to configure a max timeout higher than what osquerybeat supports. If osquerybeat is not changed, it has logic that will lower any set timeout above it's max timeout to its max timeout, so the higher timeout from Kibana will not apply, but the query will not break.