Add syslog source - macos system.log

[defensivedepth]

What does this PR do?

Adds /var/log/system.log to default syslog input datastream for macOS.

Have been running this for quite some time:

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[cla-checker-service]

💚 CLA has been signed

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-04-25T14:07:33.805+0000

• Duration: 15 min 3 sec

Test stats 🧪

Test	Results
Failed	0
Passed	145
Skipped	0
Total	145

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[defensivedepth]

FYI, just signed the agreement.

[belimawr]

@nimarezainia adding /var/log/system.log by default looks fine to me, do you see any reasons not to add it?

[defensivedepth]

Anything I can do to help move this forward?

[botelastic]

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[defensivedepth]

Yep this is still valid. Let me know what I can do to help move it along!

[belimawr]

I'll look into that again, sorry for the delay @defensivedepth !

[botelastic]

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[defensivedepth]

Anything I can do to help move this along?

[nimarezainia]

@nimarezainia adding /var/log/system.log by default looks fine to me, do you see any reasons not to add it?

sorry for the extremely late response. I don;t see any issues here.

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[cmacknz]

Adding /var/log/system* is correct on newer versions of MacOS.

To move this forward we just need the changelog updated in packages/system/changelog.yml to create a new version of the integration. You can see an example of how to do this in https://github.com/elastic/integrations/pull/5160/files. You need something like this:

- version: "1.24.0"
  changes:
    - description: Add basic dimension fields for cpu, load and memory
      type: enhancement
      link: https://github.com/elastic/integrations/pull/1234

This change could be considered either a bug fix or new functionality, probably the latter makes more sense here so updating the version to 1.25.0 works.

[defensivedepth]

@cmacknz This PR currently uses /var/log/system.log - are you suggesting I change it to /var/log/system* ?

[cmacknz]

/var/log/system.log by itself seems correct. I am just used to writing wildcard paths so I wrote that automatically without looking closer. /var/log/system* is probably safer if Apple ever changes the log rotation strategy.

On my MacOS Monterey system I see the following, where every time it rotates the previous file is compressed with the .gz extension which the integration ignores for this data stream already.

system.log
system.log.0.gz
system.log.1.gz
system.log.2.gz
system.log.3.gz
system.log.4.gz
system.log.5.gz
system.log.6.gz

The .gz extension for the system logs datastream is ignored here for reference:

integrations/packages/system/data_stream/syslog/agent/stream/log.yml.hbs

Line 5 in 74f8fc4

exclude_files: [".gz$"]

[defensivedepth]

Ok, I have updated the PR based on feedback from @cmacknz

[cmacknz]

You need to increase the package version in the manifest.yml file to match what is in the changelog:

integrations/packages/system/manifest.yml

Line 4 in a7a076d

version: 1.24.2

diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
index b20180a28..43f732a0a 100644
--- a/packages/system/manifest.yml
+++ b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: system
 title: System
-version: 1.24.2
+version: 1.25.0
 license: basic
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration

[botelastic]

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[andrewkroh]

I fixed the manifest version and merged it with main. It should be good to merge assuming it goes green.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (4/4)	💚
Classes	100.0% (4/4)	💚
Methods	60.759% (48/79)	👍 27.426
Lines	99.535% (2780/2793)	👎 -0.465
Conditionals	100.0% (0/0)	💚

[defensivedepth]

Thanks @andrewkroh, I missed the notification that there was still a change needed!

[elasticmachine]

Package system - 1.26.0 containing this change is available at https://epr.elastic.co/search?package=system