Hello, may I ask if I deleted the pack pack on fleet UI, but the log of pack pack query will still be generated? What's the situation?

Hi demonbhao. Do you mind walking me through the steps you took from deleting the pack within the Fleet UI to viewing the generated log output?

Ok, on my side, I first logged on to the Fleet UI to pause the pack query, and then I went back to the Fleet server and found that the logs were still sent (Figure 1).Later I deleted the Pack query directly, but the Fleet server still sent the query log.Figure 2 shows the Pack shown on the Fleet UI

Sorry for the delayed response. I’m brining up this question with the Fleet team

Hello, the log is still being sent. It has been going on for several days

Are the two enabled query packs (

General indicators

and

ossec_rootkit

) also generating logs in kibana? I wonder if the machines generating the

listening_external_port_V1

logs have had their osquery configuration changed since you deleted this query pack. Meaning they know that the only query packs they should be running are the two in your second screenshot. I’m going to attempt to recreate your issue later today.

My God, I came to check Elk's log today and found that the deleted pack package is finally not querying I really appreciate your help

Great! The issue seems like an odd one to me. Glad it’s resolved. Do you mind adding your last message in the GitHub issue and closing that issue?

Well, thank you very much