I deployed an Elastic Agent 7.10.2 on Debian Linux using Fleet and the "System Integration", all metric logs disabled.
Default the System integration will look in:
/var/log/auth.log* and /var/log/secure* for "System auth" logs and
/var/log/messages* and /var/log/syslog* for "System syslog" logs.
I made a small test trying to login via SSH with an unknown user.
This only ingest a syslog entry to Elastic Cloud and the log entry is only in the "message" field not mapped out in separate fields.
Now if I delete "/var/log/syslog*" in the Agent policy on the system integration then I suddenly get auth logs into Elastic and the log entry is mapped into different field e.g. user.name.
Can anyone confirm/verify that this is a bug?