`System` integration doesn't map `message` as a `text` field for some data streams

[n0othing]

The included index templates for the logs-system.application + logs-system.system data streams don't explicitly map message as a text field, so it gets mapped as a keyword due to dynamic_templates:

"dynamic_templates": [
    {
      "strings_as_keyword": {
        "mapping": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "match_mapping_type": "string"
      }
    }
  ]

Other System integration data streams do map message as a text field, which ultimately results in a mapping conflict for the logs-* Kibana index pattern.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[nugroho-exp]

I also see the same issue with logs-system.security datastream (Windows event log).

  ".ds-logs-system.security-default-2021.09.03-000010" : {
    "mappings" : {
      "message" : {
        "full_name" : "message",
        "mapping" : {
          "message" : {
            "type" : "keyword",
            "ignore_above" : 1024
          }
        }
      }
    }
  },

The field conflict prevents us to create log threshold alert rule by message content (only IS and IS NOT are available).

[scottdfedorov]

There's already an open issue for the Windows integration. #1737

[nugroho-exp]

@scottdfedorov I think #1737 is for Windows package and this issue is for System package. As far as I know field definition is handled per-package.