Skip to content

[Osquerybeat] [Bugfix] Encoding timestamps #47875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Osquerybeat] [Bugfix] Encoding timestamps #47875

wants to merge 3 commits into from
+119 −57

Conversation

@brian-mckinney
Copy link
Contributor

@brian-mckinney brian-mckinney commented Dec 2, 2025

Proposed commit message

When encoding zero timestamps to a unix epoch format, the result is incorrect if EncodingFlagUseNumbersZeroValues is set. This happens, because time.Unix() uses the go zero time (0001-01-01 00:00:00 +0000 UTC) when calculating the epoch timestamp. Which results in a very large negative number (not a valid unix epoch from osquery's perspective)

I took the opportunity to refactor the timestamp encoding to reduce code reuse. I also fixed a bug in the switch statement in which the kitchen format was not being parsed correctly.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@brian-mckinney brian-mckinney requested a review from a team as a code owner December 2, 2025 22:58
@brian-mckinney brian-mckinney added bug Osquerybeat backport-skip Skip notification from the automated backport with mergify labels Dec 2, 2025
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 2, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 2, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@brian-mckinney brian-mckinney enabled auto-merge (squash) December 2, 2025 22:58
@brian-mckinney brian-mckinney added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Dec 3, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 3, 2025

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc-gr marc-gr Awaiting requested review from marc-gr

At least 1 approving review is required to merge this pull request.

Assignees

@brian-mckinney brian-mckinney

Labels

backport-skip Skip notification from the automated backport with mergify bug Osquerybeat Team:Security-Windows Platform Windows Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brian-mckinney @elasticmachine