Use journald input by default when running system integration for SLES 15-SP6

[pierrehilbert]

Proposed commit message

Use journald input by default when running system integration for SLES 15-SP6.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes [SLES 15]: No "system.auth" logs for system integration under Data Streams tab for SLES 15 linux agent. #13752

Screenshots

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[rdner]

@pierrehilbert there are not testing steps in the description.

Was it tested or you would like me to run the tests?

[pierrehilbert]

@amolnater-qasource tested the fix by manually changing the configuration here: #13752 (comment)

But always great to have more folks confirming this is working the correct way.

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 557f950

History

• 💚 Build #25556 succeeded d2f8424
• 💚 Build #25427 succeeded 3d9bbc2

[shmsr]

As this is not a bugfix but a behaviour change (default change based on new condition), I think we should do a minor upgrade (2.0.0 -> 2.1.0) instead of a patch upgrade (2.0.0 -> 2.0.1)

[ishleenk17]

To me this looks to be a bugfix, since we don't support logfile for sles since the very beginning. Just that we had not added that to our config.

Suggested change

	type: enhancement
	type: bugfix

[ishleenk17]

@pierrehilbert
Also, there might be more such platform/os_version combinations we might have missed/not known.
We always have the condition config option for the user to change that. So I don't think this should be a concern. WDYT ?
Current behaviour if in case these log inputs are used is that just they won't see any logs, is that right?

[shmsr]

qq: Why just SLES 15 (SP6)? I assume journald is primary logging system for other service packs as well other versions of SLES?

[pierrehilbert]

Good point, could probably be replaced by startsWith(${host.os_version}, "15") == true

[shmsr]

https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-journalctl.html (see first line)

Also SLES 12. SLES 12 onwards, they are using journal. SLES 13, 14 doesn't exist. So I think we should handle SLES 12 and 15 with startsWith

https://www.theregister.com/2018/06/25/suse_linux_enterprise_15/

^ Reason why they skipped 13 and 14

SUSE jumped from SLES 12 to 15 as both 13 and 14 are unlucky numbers. While many are aware of the negative connotations attached to the number 13, in China, 14 is also considered unlucky. This is because the number 4 in Chinese (四, pinyin: sì; Cantonese Yale: sei) is almost homophonous to the word for 'death' (死 pinyin: sǐ; Cantonese Yale: séi). Therefore, SUSE was asked not to use these numbers by partners and customers alike.

[cmacknz]

With the condition we want to catch the point where an existing OS release no longer included syslog by default, not just the point where journald was available.

For existing OS releases that included both syslog and journald, this integration is working without issue by reading from the syslog files. We could switch from syslog to journald there but it opens us to the chance that it breaks something unexpectedly.