OSQueries run under Live Pack shows pending then expired without providing any results

[Tedus007]

I believe we have bug with the current osquery version 1.11 and we are probably matching the below issue on Kibana

elastic/kibana#177257

Security Onion version: 2.4.110 Hotfix [20241010]

[defensivedepth]

Moved this to a discussion.

I have not been able to replicate this. Can you run a live query not from a pack?

Also, what version of Elastic Agent are your endpoints running?

[Tedus007]

Thank you for your reply.

I tried again but from what I see from the output in the docs field their is results, but in the view field is empty
Elastic Agent is 8.14.3

What makes me suspect this could be a bug with Os-query I found an issue opened in elastic mentioning the exact same issue and they mentioned this bug still appears in version 8.14 and was fixed on 8.15 with the new osquery version 1.12, kindly find attached my osquery test.

I'm currently on the latest SecurityOnion Version

_**From Kibana Github
elastic/kibana#177257

We have observed that this issue is occurring on 8.14.0 BC5, hence we are reopening this ticket.**_

We have validated this issue with the Osquery 1.12 integration package on 8.15.0 SNAPSHOT build and observed that issue is Fixed

[defensivedepth]

Yes it is very possible that you are running into this bug. You can still see the results, correct?

[Tedus007]

Yes, I can see the results in the discover view but not in the OSquery results, I've to go to kibana discover to search for the results.

[mralexc]

I have a similar issue with my instance.

[mralexc]

Just a note, I am running as a standalone instance. I've tried a complete reinstall of the instance as well without success.

[defensivedepth]

2.4.130 was just released, with the latest Elastic updates. I would suggest upgrading.

https://blog.securityonion.net/2025/03/security-onion-24130-now-available.html