Osquerybeat: Result values type translation

[aleksmaus]

What does this PR do?

Translates Osquery results values to appropriate type according to the column type information of the query.
Utilizes the GetQueryColumns osquery go client API, caches the types information per query in LRU cache.

Why is it important?

Primarily allows us to handle better the numeric values that were strings by default.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Can test with standalone Osquerybeat config, example:

osquerybeat:
  inputs:
    - type: osquery
      streams:
        - id: "E169F085-AC8B-48AF-9355-D2977030CE24"
          query: "select * from temperature_sensors"
          interval: 1m        

Or running with agent and fleet server.

Related issues

Related issues

• Relates https://github.com/elastic/security-team/issues/935, Explicit mapping for all osquery fields integrations#902

Screenshots

osquery mapping:

collected osquery data with types converted appropriately with osquerybeat

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #25012 updated

• Start Time: 2021-04-14T12:34:56.937+0000

• Duration: 65 min 18 sec

• Commit: 0404152

Test stats 🧪

Test	Results
Failed	0
Passed	46994
Skipped	5134
Total	52128

Trends 🧪

Steps errors

Expand to view the steps failures

auditbeat-packaging-arm-arm - mage package

• Took 4 min 37 sec . View more details on here
• Description: mage package

filebeat-packaging-arm-arm - mage package

• Took 8 min 47 sec . View more details on here
• Description: mage package

heartbeat-packaging-arm-arm - mage package

• Took 7 min 16 sec . View more details on here
• Description: mage package

journalbeat-packaging-arm-arm - mage package

• Took 11 min 8 sec . View more details on here
• Description: mage package

metricbeat-packaging-arm-arm - mage package

• Took 12 min 13 sec . View more details on here
• Description: mage package

packetbeat-packaging-arm-arm - mage package

• Took 7 min 21 sec . View more details on here
• Description: mage package

x-pack/elastic-agent-packaging-arm-arm - mage package

• Took 22 min 35 sec . View more details on here
• Description: mage package

x-pack/heartbeat-packaging-arm-arm - mage package

• Took 8 min 13 sec . View more details on here
• Description: mage package

x-pack/metricbeat-packaging-arm-arm - mage package

• Took 6 min 26 sec . View more details on here
• Description: mage package

Error signal

• Took 0 min 0 sec . View more details on here
• Description: Error 'hudson.AbortException: script returned exit code 1'

Log output

Expand to view the last 100 lines of log output

[2021-04-14T13:39:37.183Z] 10.13s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_136_oracle
[2021-04-14T13:39:37.183Z] 9.98s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_153_gcp
[2021-04-14T13:39:37.183Z] 9.89s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_135_oracle
[2021-04-14T13:39:37.183Z] 9.88s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_164_cisco
[2021-04-14T13:39:37.183Z] 9.88s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_004_cyberark
[2021-04-14T13:39:37.183Z] ======================= 323 passed in 1608.10s (0:26:48) =======================
[2021-04-14T13:39:37.183Z] >> python test: Integration Testing Complete
[2021-04-14T13:39:40.961Z] Cleaning up /var/lib/jenkins/workspace/PR-25012-7-2561faab-a7f1-4089-8b25-a11689f26347
[2021-04-14T13:39:40.961Z] Client: Docker Engine - Community
[2021-04-14T13:39:40.961Z]  Version:           20.10.3
[2021-04-14T13:39:40.962Z]  API version:       1.41
[2021-04-14T13:39:40.962Z]  Go version:        go1.13.15
[2021-04-14T13:39:40.962Z]  Git commit:        48d30b5
[2021-04-14T13:39:40.962Z]  Built:             Fri Jan 29 14:33:13 2021
[2021-04-14T13:39:40.962Z]  OS/Arch:           linux/amd64
[2021-04-14T13:39:40.962Z]  Context:           default
[2021-04-14T13:39:40.962Z]  Experimental:      true
[2021-04-14T13:39:40.962Z] 
[2021-04-14T13:39:40.962Z] Server: Docker Engine - Community
[2021-04-14T13:39:40.962Z]  Engine:
[2021-04-14T13:39:40.962Z]   Version:          20.10.3
[2021-04-14T13:39:40.962Z]   API version:      1.41 (minimum version 1.12)
[2021-04-14T13:39:40.962Z]   Go version:       go1.13.15
[2021-04-14T13:39:40.962Z]   Git commit:       46229ca
[2021-04-14T13:39:40.962Z]   Built:            Fri Jan 29 14:31:25 2021
[2021-04-14T13:39:40.962Z]   OS/Arch:          linux/amd64
[2021-04-14T13:39:40.962Z]   Experimental:     false
[2021-04-14T13:39:40.962Z]  containerd:
[2021-04-14T13:39:40.962Z]   Version:          1.4.4
[2021-04-14T13:39:40.962Z]   GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
[2021-04-14T13:39:40.962Z]  runc:
[2021-04-14T13:39:40.962Z]   Version:          1.0.0-rc93
[2021-04-14T13:39:40.962Z]   GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
[2021-04-14T13:39:40.962Z]  docker-init:
[2021-04-14T13:39:40.962Z]   Version:          0.19.0
[2021-04-14T13:39:40.962Z]   GitCommit:        de40ad0
[2021-04-14T13:39:40.962Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-04-14T13:39:40.962Z] Unable to find image 'alpine:3.4' locally
[2021-04-14T13:39:41.918Z] 3.4: Pulling from library/alpine
[2021-04-14T13:39:41.918Z] c1e54eec4b57: Pulling fs layer
[2021-04-14T13:39:42.186Z] c1e54eec4b57: Download complete
[2021-04-14T13:39:42.186Z] c1e54eec4b57: Pull complete
[2021-04-14T13:39:42.455Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2021-04-14T13:39:42.455Z] Status: Downloaded newer image for alpine:3.4
[2021-04-14T13:39:44.420Z] Change permissions with write access of all files inside the specific folder
[2021-04-14T13:39:45.856Z] Running in /var/lib/jenkins/workspace/PR-25012-7-2561faab-a7f1-4089-8b25-a11689f26347/src/github.com/elastic/beats/build
[2021-04-14T13:39:46.161Z] + rm -rf ve
[2021-04-14T13:39:46.161Z] + find . -type d -name vendor -exec rm -r {} ;
[2021-04-14T13:39:46.502Z] + python .ci/scripts/pre_archive_test.py
[2021-04-14T13:39:48.433Z] Copy ./x-pack/filebeat/build into build/x-pack/filebeat/build
[2021-04-14T13:39:48.457Z] Running in /var/lib/jenkins/workspace/PR-25012-7-2561faab-a7f1-4089-8b25-a11689f26347/src/github.com/elastic/beats/build
[2021-04-14T13:39:48.475Z] Recording test results
[2021-04-14T13:39:51.870Z] [Checks API] No suitable checks publisher found.
[2021-04-14T13:39:52.246Z] + go clean -modcache
[2021-04-14T13:39:55.907Z] Cleaning up /var/lib/jenkins/workspace/PR-25012-7-2561faab-a7f1-4089-8b25-a11689f26347
[2021-04-14T13:39:55.907Z] Client: Docker Engine - Community
[2021-04-14T13:39:55.907Z]  Version:           20.10.3
[2021-04-14T13:39:55.907Z]  API version:       1.41
[2021-04-14T13:39:55.907Z]  Go version:        go1.13.15
[2021-04-14T13:39:55.907Z]  Git commit:        48d30b5
[2021-04-14T13:39:55.907Z]  Built:             Fri Jan 29 14:33:13 2021
[2021-04-14T13:39:55.907Z]  OS/Arch:           linux/amd64
[2021-04-14T13:39:55.907Z]  Context:           default
[2021-04-14T13:39:55.907Z]  Experimental:      true
[2021-04-14T13:39:55.907Z] 
[2021-04-14T13:39:55.907Z] Server: Docker Engine - Community
[2021-04-14T13:39:55.907Z]  Engine:
[2021-04-14T13:39:55.907Z]   Version:          20.10.3
[2021-04-14T13:39:55.907Z]   API version:      1.41 (minimum version 1.12)
[2021-04-14T13:39:55.907Z]   Go version:       go1.13.15
[2021-04-14T13:39:55.907Z]   Git commit:       46229ca
[2021-04-14T13:39:55.907Z]   Built:            Fri Jan 29 14:31:25 2021
[2021-04-14T13:39:55.907Z]   OS/Arch:          linux/amd64
[2021-04-14T13:39:55.907Z]   Experimental:     false
[2021-04-14T13:39:55.907Z]  containerd:
[2021-04-14T13:39:55.907Z]   Version:          1.4.4
[2021-04-14T13:39:55.907Z]   GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
[2021-04-14T13:39:55.907Z]  runc:
[2021-04-14T13:39:55.907Z]   Version:          1.0.0-rc93
[2021-04-14T13:39:55.908Z]   GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
[2021-04-14T13:39:55.908Z]  docker-init:
[2021-04-14T13:39:55.908Z]   Version:          0.19.0
[2021-04-14T13:39:55.908Z]   GitCommit:        de40ad0
[2021-04-14T13:39:55.908Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-04-14T13:40:02.548Z] Change permissions with write access of all files inside the specific folder
[2021-04-14T13:40:02.870Z] Running in /var/lib/jenkins/workspace/PR-25012-7-2561faab-a7f1-4089-8b25-a11689f26347
[2021-04-14T13:40:08.331Z] + gsutil --version
[2021-04-14T13:40:09.837Z] Masking supported pattern matches of $FILE_CREDENTIAL
[2021-04-14T13:40:10.159Z] + gcloud auth activate-service-account --key-file ****
[2021-04-14T13:40:10.739Z] Activated service account credentials for: [beats-ci-gcs-plugin@elastic-ci-prod.iam.gserviceaccount.com]
[2021-04-14T13:40:11.073Z] + gsutil -m -q cp -a public-read eC1wYWNrL2ZpbGViZWF0LWJ1aWxkMDQwNDE1MjE2N2VkOWVkNjIyZWVjNzBlMWRhMjMzZDEwZWVhOTU4OQ gs://beats-ci-temp/ci/cache/
[2021-04-14T13:40:13.228Z] Stage "Packaging" skipped due to earlier failure(s)
[2021-04-14T13:40:13.303Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-25012/src/github.com/elastic/beats
[2021-04-14T13:40:13.772Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-25012
[2021-04-14T13:40:13.826Z] [INFO] getVaultSecret: Getting secrets
[2021-04-14T13:40:13.937Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2021-04-14T13:40:14.920Z] + chmod 755 generate-build-data.sh
[2021-04-14T13:40:14.920Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25012/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25012/runs/7 FAILURE 3917710
[2021-04-14T13:40:15.171Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25012/runs/7/steps/?limit=10000 -o steps-info.json
[2021-04-14T13:40:25.048Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25012/runs/7/tests/?status=FAILED -o tests-errors.json

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	46994
Skipped	5134
Total	52128

[elasticmachine]

Pinging @elastic/agent (Team:Agent)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b osquery/result_type_translation upstream/osquery/result_type_translation
git merge upstream/master
git push upstream osquery/result_type_translation

[aleksmaus]

the integration and kibana are updated to handle keyword/long keyword/double multifields correctly

[urso]

nit; new code should not use NewLogger. The logger should be assumed to be a dependency that must be passed in.