Describe the enhancement:
Add runtime support in osquerybeat to keep bundled osqueryd as the default, while optionally installing and running osqueryd from a user-provided artifact URL.
The enhancement should introduce a secure, configurable custom install flow with:
osquery_install.artifact_url
osquery_install.sha256
osquery_install.allow_insecure_url (optional, default false; for non-HTTPS test/dev only)
osquery_install.ssl (TLS config, same style as other Beats SSL settings)
Behavior requirements:
- If
artifact_url is not set, current bundled behavior remains unchanged.
- If
artifact_url is removed after a prior custom install, remove previous managed custom artifact state and use bundled osquery.
- If
artifact_url is set:
- download artifact
- verify SHA256
- extract platform package (
tar, zip, msi, pkg)
- validate binary identity (
osqueryd --version, executable checks, platform layout checks)
- install in the same directory used for bundled osquery
- use custom
binPath on success
- when updating to a new checksum, remove the previous installed release
- Failure handling:
- any custom artifact install/validation error fails startup with a clear error and beat status
failed
Extension compatibility:
- Preserve current extension autoload guarantees (Elastic extension mandatory first entry).
- Ensure extension works when
osqueryd comes from custom install (either keep extension path explicit from bundled location or ensure it is available in selected runtime path).
Safety and operational requirements:
- Enforce HTTPS artifact URLs by default (allow explicit insecure override only for non-prod/testing).
- Keep installation idempotent (reuse when checksum/version already active).
- Record selected source (
bundled vs custom) and effective osquery_version in manager payload/logs.
- Add tests for config validation, checksum mismatch, extraction/layout validation, binary validation, strict startup failure behavior, and extension/autoload invariants.
- Document new config options in reference config templates.

Describe the enhancement:
Add runtime support in
osquerybeatto keep bundledosquerydas the default, while optionally installing and runningosquerydfrom a user-provided artifact URL.The enhancement should introduce a secure, configurable custom install flow with:
osquery_install.artifact_urlosquery_install.sha256osquery_install.allow_insecure_url(optional, default false; for non-HTTPS test/dev only)osquery_install.ssl(TLS config, same style as other Beats SSL settings)Behavior requirements:
artifact_urlis not set, current bundled behavior remains unchanged.artifact_urlis removed after a prior custom install, remove previous managed custom artifact state and use bundled osquery.artifact_urlis set:tar,zip,msi,pkg)osqueryd --version, executable checks, platform layout checks)binPathon successfailedExtension compatibility:
osquerydcomes from custom install (either keep extension path explicit from bundled location or ensure it is available in selected runtime path).Safety and operational requirements:
bundledvscustom) and effectiveosquery_versionin manager payload/logs.