System Integration 1.58.2 - 1.59.0 generates invalid configuration for agent 7.17.22

[pchila]

How to Reproduce

• Create a new 8.15.0 stack (issue was observed on self-managed but it should appear on cloud as well) including Fleet server
• Enroll agent 7.17.22 using a policy that includes System Integration
• Observe Filebeat being stuck in 'CONFIGURING' state

  ubuntu@sm-agent:~/elastic-agent-7.17.22-linux-x86_64$ sudo elastic-agent status
  Status: HEALTHY
  Message: (no message)
  Applications:
    * filebeat               (CONFIGURING)
                             Updating configuration
    * metricbeat             (HEALTHY)
                             Running
    * filebeat_monitoring    (HEALTHY)
                             Running
    * metricbeat_monitoring  (HEALTHY)
                             Running
  

• Looking into filebeat logs we can see that the processor syslog is not recognized

  {"log.level":"error","@timestamp":"2024-07-11T18:21:06.677+0200","log.logger":"centralmgmt","log.origin":{"file.name":"cfgfile/list.go","file.line":108},"message":"Error creating runner from config: the processor action syslog does not exist. Valid actions: add_cloud_metadata, community_id, dissect, urldecode, decode_base64_field, truncate_fields, add_host_metadata, decode_xml, registered_domain, include_fields, detect_mime_type, add_cloudfoundry_metadata, add_kubernetes_metadata, decode_json_fields, add_locale, add_observer_metadata, dns, script, copy_fields, decompress_gzip_field, drop_event, add_fields, add_labels, drop_fields, replace, add_process_metadata, convert, decode_cef, rate_limit, fingerprint, timestamp, add_nomad_metadata, extract_array, add_tags, rename, add_docker_metadata, add_id, decode_csv_fields, decode_xml_wineventlog, add_network_direction","service.name":"filebeat","ecs.version":"1.6.0"}
  {"log.level":"error","@timestamp":"2024-07-11T18:21:06.677+0200","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":322},"message":"1 error: Error creating runner from config: the processor action syslog does not exist. Valid actions: add_cloud_metadata, community_id, dissect, urldecode, decode_base64_field, truncate_fields, add_host_metadata, decode_xml, registered_domain, include_fields, detect_mime_type, add_cloudfoundry_metadata, add_kubernetes_metadata, decode_json_fields, add_locale, add_observer_metadata, dns, script, copy_fields, decompress_gzip_field, drop_event, add_fields, add_labels, drop_fields, replace, add_process_metadata, convert, decode_cef, rate_limit, fingerprint, timestamp, add_nomad_metadata, extract_array, add_tags, rename, add_docker_metadata, add_id, decode_csv_fields, decode_xml_wineventlog, add_network_direction","service.name":"filebeat","ecs.version":"1.6.0"}

• Here's the policy fragment that is causing the problem:

    - id: logfile-system-46c1f093-ea69-484b-828d-921821058e95
   name: system-2
   revision: 1
   type: logfile
   use_output: default
   meta:
     package:
       name: system
       version: 1.58.2
   data_stream:
     namespace: default
   package_policy_id: 46c1f093-ea69-484b-828d-921821058e95
   streams:
     - id: logfile-system.auth-46c1f093-ea69-484b-828d-921821058e95
       data_stream:
         dataset: system.auth
         type: logs
       ignore_older: 72h
       paths:
         - /var/log/auth.log*
         - /var/log/secure*
       exclude_files:
         - \.gz$
       multiline:
         pattern: ^\s
         match: after
       tags:
         - system-auth
       processors:
         - add_locale: null
         - rename:
             fields:
               - from: message
                 to: event.original
             ignore_missing: true
             fail_on_error: false
         - syslog:
             field: event.original
             ignore_missing: true
             ignore_failure: true

Expected

System integration should generate an input definition that is compatible with agent versions where the syslog processor is not available (maybe using conditionals to switch between 2 separate definition of the input based on the agent version).

[cmacknz]

The syslog processor was added to the system.auth datastream in #8103. CC @kcreddy

It doesn't exist for 7.17 agents. The agent provider should let us write a condition on agent.version to let us dynamically remove the syslog processor.

[cmacknz]

https://www.elastic.co/guide/en/fleet/7.17/dynamic-input-configuration.html

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[pierrehilbert]

I opened a PR thanks to @cmacknz suggestion. #10471
I tested my new integration package locally with elastic-package and filebeat is now healthy instead of stuck in "configuring" state.