osquerybeat: upgrade bundled osquery to 5.22.1

[marc-gr]

Proposed commit message

osquerybeat: upgrade bundled osquery to 5.22.1

Refresh bundled osquery version and checksums and align osquerybeat install
fixtures with the new release while keeping test data in sync.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

None.

How to test this PR locally

• go test ./x-pack/osquerybeat/internal/install/...

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @marc-gr? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1017101-6f9f-4698-9c30-c1d90de67d2d

📥 Commits

Reviewing files that changed from the base of the PR and between e50e210 and 8c81588.

📒 Files selected for processing (2)

• NOTICE.txt
• go.mod

✅ Files skipped from review due to trivial changes (2)

• NOTICE.txt
• go.mod

---

📝 Walkthrough

Walkthrough

This PR upgrades osquery from version 5.19.0 to 5.22.1 across the osquerybeat project. Changes include updating the bundled distribution version constant and SHA256 checksums for all platform artifacts (Darwin, Linux, Linux ARM, Windows, Windows Zip), updating example artifact download URLs in configuration templates and reference documentation, refactoring tests and fixtures to derive the osquery version from the distro module instead of hardcoded strings, adding a changelog fragment, and promoting Masterminds/semver to a direct go.mod requirement.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

TL;DR

x-pack/osquerybeat: Run check/update failed because make check-no-changes detected an uncommitted go.mod change. The generated update wants github.com/Masterminds/semver v1.5.0 to be a direct dependency (remove // indirect).

Remediation

• Run make -C x-pack/osquerybeat check update locally and commit the resulting root go.mod change.
• Ensure go.mod includes github.com/Masterminds/semver v1.5.0 without // indirect (currently at go.mod:17 in this checkout).
• Re-run the same Buildkite step (or full CI) to confirm check-no-changes is clean.

Investigation details

Root Cause

This is a dependency-drift failure: the update/check step generated a diff in go.mod, then failed at check-no-changes.

From the failing job log, the exact generated diff was:

--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
-    github.com/Masterminds/semver v1.5.0 // indirect
+    github.com/Masterminds/semver v1.5.0

Then the step exited with:

go.mod: needs update
make: *** [Makefile:114: check-no-changes] Error 1

Evidence

• Build: https://buildkite.com/elastic/beats/builds/43204
• Job/step: x-pack/osquerybeat: Run check/update
• Command: make -C x-pack/osquerybeat check update then make check-no-changes
• Log file: /tmp/gh-aw/buildkite-logs/beats-xpack-osquerybeat-x-packosquerybeat-run-checkupdate.txt

Verification

• Reproduction in this workspace was not run because this checkout is on main (2d10f572...), not the failing PR commit (e50e210...), and the Buildkite log already contains the exact failing diff.

Follow-up

If this keeps recurring, verify whether any PR-introduced import now requires Masterminds/semver directly and commit the resulting module graph update alongside the code change.

Note

🔒 Integrity filtering filtered 1 item

Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• pr:osquerybeat: upgrade bundled osquery to 5.22.1 #49769 (pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.