[System]: System logs no longer collected by default for MacOS

[cmacknz]

Integration Name

System [system]

Dataset Name

system.syslog

Integration Version

2.6.1

Agent Version

9.2.0-SNAPSHOT

Agent Output Type

elasticsearch

Elasticsearch Version

9.2.0-SNAPSHOT

OS Version and Architecture

Sequoia 15.7

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Installed the system integration in an agent policy for an agent running on a MacBook Pro.

What did you see?

No system logs

What did you expect to see?

System logs.

Only the system/metrics input is running on the agent:

❯ sudo elastic-development-agent status --output=full
┌─ fleet
│  └─ status: (HEALTHY) Connected
└─ elastic-agent
   ├─ status: (HEALTHY) Running
   ├─ info
   │  ├─ id: 2e7a77bc-a792-4d66-91ea-615719d4972e
   │  ├─ version: 9.2.0
   │  └─ commit: 4cd10aa641a5e298dabed246f1f55b98fbcd6afa
   ├─ system/metrics-default
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '73339'
   │  ├─ system/metrics-default
   │  │  ├─ status: (HEALTHY) Healthy
   │  │  └─ type: OUTPUT
   │  └─ system/metrics-default-system/metrics-system-bc590a46-66d6-4f6d-b5e0-6337041d08b0
   │     ├─ status: (HEALTHY) Healthy
   │     └─ type: INPUT
``

However, the system logs inputs are included but I think the conditions are unintentionally excluding them on MacOS:

```yaml
inputs:
    - data_stream:
        namespace: default
      id: logfile-system-bc590a46-66d6-4f6d-b5e0-6337041d08b0
      meta:
        package:
            name: system
            version: 2.6.1
      name: system-1
      package_policy_id: bc590a46-66d6-4f6d-b5e0-6337041d08b0
      revision: 1
      streams:
        - allow_deprecated_use: true
          condition: ${host.os_version} != "12 (bookworm)" and ${host.os_version} != "13 (trixie)" and (${host.os_platform} != "amzn" or ${host.os_version} != "2023") and (${host.os_platform} != "sles" and startsWith(${host.os_version}, "15") == false)
          data_stream:
            dataset: system.auth
            type: logs
          exclude_files:
            - \.gz$
          id: logfile-system.auth-bc590a46-66d6-4f6d-b5e0-6337041d08b0
          ignore_older: 72h
          multiline:
            match: after
            pattern: ^\s
          paths:
            - /var/log/auth.log*
            - /var/log/secure*
          processors:
            - add_locale: null
            - rename:
                fail_on_error: false
                fields:
                    - from: message
                      to: event.original
                ignore_missing: true
            - syslog:
                field: event.original
                ignore_failure: true
                ignore_missing: true
          tags:
            - system-auth
        - allow_deprecated_use: true
          condition: ${host.os_version} != "12 (bookworm)" and ${host.os_version} != "13 (trixie)" and (${host.os_platform} != "amzn" or ${host.os_version} != "2023") and (${host.os_platform} != "sles" and startsWith(${host.os_version}, "15") == false)
          data_stream:
            dataset: system.syslog
            type: logs
          exclude_files:
            - \.gz$
          id: logfile-system.syslog-bc590a46-66d6-4f6d-b5e0-6337041d08b0
          ignore_older: 72h
          multiline:
            match: after
            pattern: ^\s
          paths:
            - /var/log/messages*
            - /var/log/syslog*
            - /var/log/system*
          processors:
            - add_locale: null
          tags: null
      type: logfile
      use_output: default
    - data_stream:
        namespace: default
      id: journald-system-bc590a46-66d6-4f6d-b5e0-6337041d08b0
      meta:
        package:
            name: system
            version: 2.6.1
      name: system-1
      package_policy_id: bc590a46-66d6-4f6d-b5e0-6337041d08b0
      revision: 1
      streams:
        - condition: ${host.os_version} == "12 (bookworm)" or ${host.os_version} == "13 (trixie)" or (${host.os_platform} == "amzn" and ${host.os_version} == "2023") or (${host.os_platform} == "sles" and startsWith(${host.os_version}, "15") == true)
          data_stream:
            dataset: system.auth
            type: logs
          facilities:
            - 4
            - 10
          id: journald-system.auth-bc590a46-66d6-4f6d-b5e0-6337041d08b0
          tags: null
          type: journald
        - condition: ${host.os_version} == "12 (bookworm)" or ${host.os_version} == "13 (trixie)" or (${host.os_platform} == "amzn" and ${host.os_version} == "2023") or (${host.os_platform} == "sles" and startsWith(${host.os_version}, "15") == true)
          data_stream:
            dataset: system.syslog
            type: logs
          facilities:
            - 0
            - 1
            - 2
            - 3
            - 5
            - 6
            - 7
            - 8
            - 9
            - 11
            - 12
            - 15
          id: journald-system.syslog-bc590a46-66d6-4f6d-b5e0-6337041d08b0
          tags: null
          type: journald
      type: journald
      use_output: default

Anything else?

No response

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[belimawr]

That might be the culprit: (${host.os_platform} != "sles" and startsWith(${host.os_version}, "15") == false) when running on MacOS 15....

I haven't checked the variables, but I can see this whole block evaluating to false.

[belimawr]

I believe changing the condition in the log input to explicitly add darwin should fix it:

(host.os_family == "darwin") or (${host.os_version} != "12 (bookworm)" and ${host.os_version} != "13 (trixie)" and (${host.os_platform} != "amzn" or ${host.os_version} != "2023") and (${host.os_platform} != "sles" and startsWith(${host.os_version}, "15") == false))

I haven't tested it yet.

[pierrehilbert]

startsWith is probably the issue considering we have an issue with go-ucfg.
The issue should be resolved when #14697 will be fixed.

[cmacknz]

Both this and #14697 need somebody assigned to fix them.