From 138d66cfcb0611645b6c0a356ba91756607fdc7f Mon Sep 17 00:00:00 2001 From: Lucas Manuel Rodriguez Date: Fri, 13 Oct 2023 14:58:24 -0300 Subject: [PATCH] Add release notes for #7766 (#14497) I'm not sure this is the best place to put this information or if this is the best format. But we need to inform users of these changes somewhere in the v4.39.0 release notes. Am all ears. --------- Co-authored-by: Rachael Shaw --- changes/13489-implement-api-changes | 2 -- changes/7766-release-notes | 8 ++++++++ 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 changes/7766-release-notes diff --git a/changes/13489-implement-api-changes b/changes/13489-implement-api-changes index 9b02ad5d73..e69de29bb2 100644 --- a/changes/13489-implement-api-changes +++ b/changes/13489-implement-api-changes @@ -1,2 +0,0 @@ -* Add `GET /api/_version_/fleet/queries/{id}/report` API endpoint to retrieve the stored results of a given query. -* Add `discard_data` field to API query endpoints. diff --git a/changes/7766-release-notes b/changes/7766-release-notes new file mode 100644 index 0000000000..b48951657e --- /dev/null +++ b/changes/7766-release-notes @@ -0,0 +1,8 @@ +* Fleet now stores results of scheduled queries: + - Fleet will store up to 1000 results for each scheduled query. + NOTE: If the number of results for a scheduled query is below 1000, then the results will continuously get updated every time the hosts send results to Fleet. + - A new `server_settings.query_reports_disabled` field was added to the global configuration to disable this feature. + - A new API endpoint was added to get the stored results of a query: `GET /api/_version_/fleet/queries/{id}/report`. + - A new field `discard_data` has been added to API queries endpoints to allow disabling reports for a query (default `false`). If using yaml files to apply queries, you will need to explicitly add `discard_data: true` to disable storing results in Fleet for scheduled queries. + - Queries with `discard_data` set to `false` will be scheduled to run on hosts, even if `automations_enabled` is set to `false`, and their results will be processed and stored in Fleet. Because of this change, Fleet now does more validation on osquery result logs that are ingested and will error on unknown message formats. +