[osquery] osquery doesn't work when Logstash output is used

[defensivedepth]

Fleet + Elastic Agent 8.3.2, fresh install.

Using W10, macOS & Centos7 systems. Have two different outputs setup:

When I select the Elasticsearch output as default, osquery appears to work:

When I change the default output to Logstash, I get errors:

Same exact query (select * from users), same exact config. I have confirmed that the osquery config does exist both in the Kibana UI & in elastic-agent inspect:

[melissaburpo]

Hi @defensivedepth, thanks for raising this issue, and good find! We actually just released a fix for this, but it's possible it didn't quite make the cutoff to be included in the 8.3.2 release. @aleksmaus or @james-elastic can likely confirm, but I'd expect this to be included in 8.3.3 and 8.4.0.

Here's the PR for the fix: elastic/elastic-agent#674

[botelastic]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!