Osquery revisions (elastic#122727)

* update image to latest * clarify the saved queries section * add one more clarification to saved queries section * remove note about ECS mapping that no longer applies * copy edit * address review comments * small copy edit * add a link and info to help users find the log file location * address review comment
nchaulet · Jan 13, 2022 · b5d2d75 · b5d2d75
1 parent c526ff9
commit b5d2d75
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 16 deletions.
diff --git a/docs/osquery/images/live-query-check-results.png b/docs/osquery/images/live-query-check-results.png
diff --git a/docs/osquery/osquery.asciidoc b/docs/osquery/osquery.asciidoc
@@ -121,11 +121,18 @@ image::images/scheduled-pack.png[Shows queries in the pack and details about eac
 
 [float]
 [[osquery-manage-query]]
-== Edit saved queries
+== Save queries
 
-Add or edit saved queries from the *Saved queries* tab.
+You can save queries in two ways:
 
-. Go to the saved queries, then click **Add saved query** or the edit icon.
+* After running a live query, click the *Save for later* link.
+* From the *Saved queries* tab, click the **Add saved query** button.
+
+Once you save a query, you can only edit it from the *Saved queries* tab.
+
+To add or edit saved queries from the *Saved queries* tab:
+
+. Go to *Saved queries*, and then click **Add saved query** or the edit icon.
 . Provide the following fields:
 
 * The unique identifier.
@@ -148,7 +155,7 @@ Add or edit saved queries from the *Saved queries* tab.
 
 * From the *Test query* panel, select agents or groups to test the query, then click *Submit* to run a live query. Result columns with the image:images/mapped-icon.png[mapping] icon are mapped. Hover over the icon to see the mapped ECS field.
 
-. Click **Save query**.
+. Click *Save* or *Update*. 
 
 [float]
 [[osquery-map-fields]]
@@ -175,11 +182,7 @@ and the mapped ECS fields. For example, if you update a query to map `osquery.na
 
 ** **Static value**: Enter a static value. When the query runs, the ECS field is set to the value entered. For example, static fields can be used to apply `tags` or your preferred `event.category` to the query results. 
 
-. Map more fields, as needed.
-
-** To add a new row for additional fields to map, click the plus icon.
-
-** To remove any mapped rows, click the trash icon.
+. Map more fields, as needed. To remove any mapped rows, click the delete icon.
 
 . Save your changes.
 
@@ -314,7 +317,7 @@ While this allows you to use advanced Osquery functionality like pack discovery
 
 . Edit the *Osquery config* JSON field to apply your preferred Osquery configuration. Note the following:
 
-* The field may already have content if you have scheduled packs for this agent policy. To keep these packs scheduled, do not edit the `packs` section.
+* The field may already have content if you have scheduled packs for this agent policy. To keep these packs scheduled, do not remove the `packs` section.
 
 * Refer to the https://osquery.readthedocs.io/en/stable/[Osquery documentation] for configuration options. 
 
@@ -344,14 +347,12 @@ https://www.elastic.co/guide/en/fleet/master/upgrade-elastic-agent.html[upgrade
 
 [float]
 === Debug issues
-If you encounter issues with *Osquery Manager*, find the relevant logs for the {elastic-agent}
-and Osquerybeat in the installed agent directory, then adjust the agent path for your setup. 
-
-The relevant logs look similar to the following example paths:
+If you encounter issues with *Osquery Manager*, find the relevant logs for {elastic-agent}
+and Osquerybeat in the agent directory. Refer to the {fleet-guide}/installation-layout.html[Fleet Installation layout] to find the log file location for your OS.
 
 ```ts
-`/data/elastic-agent-054e22/logs/elastic-agent-json.log-*`
-`/data/elastic-agent-054e22/logs/default/osquerybeat-json.log`
+../data/elastic-agent-*/logs/elastic-agent-json.log-*
+../data/elastic-agent-*/logs/default/osquerybeat-json.log
 ```
 
 To get more details in the logs, change the agent logging level to debug: