Datasets `system.auth` and `system.syslog` are not available for AL2023 under Data streams tab.

amolnater-qasource commented 7 months ago

Kibana Build details:

VERSION: 8.13.0 SNAPSHOT
BUILD: 71393
COMMIT: 4f3bc35472dfeb88c02466790bd3c96dcc98f4de
Artifact Link: https://snapshots.elastic.co/8.13.0-e2cda7bd/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-linux-x86_64.tar.gz

Host OS: Amazon Linux 2023(AL2023)

Preconditions:

8.13.0 SNAPSHOT Kibana cloud environment should be available.

Steps to reproduce:

Install agent on AL2023 with agent policy having System integration.
Navigate to Data streams tab and observe no data available for system.auth and system.syslog datasets.

Screenshots:

Expected Result: Datasets system.auth and system.syslog should be available for AL2023 under Data streams tab.

Testing Under: https://github.com/elastic/ingest-dev/issues/2942

elasticmachine commented 7 months ago

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

amolnater-qasource commented 7 months ago

@manishgupta-qasource Please review.

pierrehilbert commented 7 months ago

The issue seems to be the same than https://github.com/elastic/elastic-agent/issues/3650, AL2023 is using journald instead of rsyslog

manishgupta-qasource commented 7 months ago

Secondary review for this ticket is Done

pierrehilbert commented 6 months ago

Will be covered by https://github.com/elastic/beats/issues/37086

elasticmachine commented 3 months ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

belimawr commented 1 month ago

While https://github.com/elastic/beats/issues/37086 paves the path to close this issue, it is also needed to update the system integration to use the journald input on hosts that have moved away from traditional log files.

elastic / elastic-agent

Datasets `system.auth` and `system.syslog` are not available for AL2023 under Data streams tab. #4250