[System] Fix indentation of tags inside syslog datastream

[kcreddy]

Proposed commit message

• Fix indentation of tags inside system.syslog input configuration.
• Add system tests for system.syslog datastream
• Add missing fields "input.type", "log.file.path", and "log.offset" into syslog datastream.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

$ elastic-package stack down && elastic-package build && elastic-package stack up --version=8.10.3 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate --data-streams syslog -v

--- Test results for package: system - START ---
╭─────────┬─────────────┬───────────┬───────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼────────┼──────────────┤
│ system  │ syslog      │ system    │ default   │ PASS   │  44.8591515s │
╰─────────┴─────────────┴───────────┴───────────┴────────┴──────────────╯
--- Test results for package: system - END   ---
Done

Related issues

• Relates https://github.com/elastic/sdh-beats/issues/3895

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-31T04:55:35.878+0000

• Duration: 19 min 38 sec

Test stats 🧪

Test	Results
Failed	0
Passed	156
Skipped	0
Total	156

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (4/4)	💚
Classes	100.0% (4/4)	💚
Methods	67.857% (57/84)	👎 -24.451
Lines	98.415% (2981/3029)	👍 6.834
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[ishleenk17]

Looks good!

[muthu-mps]

I was just trying to understand the data that we receive in the system.syslog field. The test logs and the sample events doesn't log any data into this field and the ingest GROK pattern too doesn't process data in the system.syslog field. Can we consider removing the field definition in fields.yml if we are not going to log data in system.syslog field?

[kcreddy]

@muthu-mps Maybe the field is there to let users have their custom fields into this group using the @custom pipeline.
But if its not needed, can you create another issue/PR? I only added some fields because the system tests were failing otherwise.

[andrewkroh]

This empty object is result of deleting all of the keys from within the syslog map. We should be removing it via the ingest pipeline if it is entirely empty.

It would probably be simpler to write the output of the grok into _temp rather than system.syslog if we will always be renaming everything under system.syslog.* such that it becomes empty. Then we can unconditionally remove _temp at the end.

[elasticmachine]

Package system - 1.47.1 containing this change is available at https://epr.elastic.co/search?package=system

[elasticmachine]

Package system - 1.47.1 containing this change is available at https://epr.elastic.co/search?package=system

[elasticmachine]

Package system - 1.47.1 containing this change is available at https://epr.elastic.co/search?package=system