[Fleet] Agent logs to show link to discover for security projects

[juliaElastic]

Summary

Closes #167304

Show Open in Discover button instead of Open in Logs in security serverless projects.

To verify:

• Start es and kibana locally in serverless mode

yarn es serverless --kill
yarn serverless-security

#  Login with username elastic_serverless or system_indices_superuser and password changeme

• Start fleet-server locally with the fleet-server-dev service token:

# add to fleet-server.yml
output:
  elasticsearch:
    hosts: "http://localhost:9200"
    service_token: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL2ZsZWV0LXNlcnZlci1kZXY6VVo1TWd6MnFTX3FVTWliWGNXNzlwQQ

# build fleet-server
SNAPSHOT=true DEV=true make release-darwin/amd64
# start fleet-server
./build/binaries/fleet-server-8.11.0-SNAPSHOT-darwin-x86_64/fleet-server -c fleet-server.yml

• enroll an agent (or create a fake .fleet-agents doc)
• go to Agent details and check that instead of Open in Logs there is a button Open in Discover

I have used the capabilities list from serverless.{type}.yml which is set to security/observability in the corresponding project types, but for some reason the capabilities list is not populated. @nchaulet any idea why those configs are not picked up?
Getting this on the UI:

agent_logs.tsx:87 {
  "internal": {
    "fleetServerStandalone": true,
    "disableProxies": true,
    "activeAgentsSoftLimit": 25000,
    "onlyAllowAgentUpgradeToKnownVersions": true
  },
  "agents": {
    "enabled": true
  },
  "developer": {},
  "enableExperimental": []
}

Agent logs view in security project:

Button navigates to Discover with these filters:
Data is populated with a real agent

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Unit or functional tests were updated or added to match the most common scenarios

[apmmachine]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[joshdover]

I'd really like to find a way to retain the Logs view in Fleet. There has been work to try to maintain this but it seems that something got broken along the way:

• [Logs UI] Disable log view saved objects in serverless deployments #165222
• Split log stream into a separate plugin #159128

@tonyghiani could you help us figure out how we can get this working again in Fleet on Security projects?

[tonyghiani]

I'd really like to find a way to retain the Logs view in Fleet.
@tonyghiani could you help us figure out how we can get this working again in Fleet on Security projects?

Hey @joshdover, happy to help, could you just expand a bit more on what seems not to work anymore, please?

The tickets you mentioned were about decoupling the LogStream component and logic to be reused in Fleet and other consumers, has it stopped working?

[joshdover]

@tonyghiani Please see the bug that this PR closes: #167304. We're seeing 500s on requests to /api/infra/log_views/default

[juliaElastic]

@tonyghiani Please see the bug that this PR closes: #167304. We're seeing 500s on requests to /api/infra/log_views/default

Yes we were seeing this error:

GET /api/infra/log_views/default 500

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "A fallback LogView handler is not registered. Register one in the setup method of your server plugin."
}

[tonyghiani]

@juliaElastic and I will continue the conversation offline to debug the issue. I understand what the issue root is, we just need to validate it.
cc @joshdover

[juliaElastic]

Created a security project in qa to debug, and the logging view is working now, not sure when this was fixed but it seems there is no issue:

https://jb-test-security-ffef54.kb.eu-west-1.aws.qa.elastic.cloud/app/fleet/agents/1d0afeb8-7081-4d16-a485-553557fa2574/logs

Tested locally with kibana serverless-security, and it works there too.

Only the Open in Logs UI button doesn't work, so we still want to replace that to Open in Discover, right? @joshdover

[joshdover]

Only the Open in Logs UI button doesn't work, so we still want to replace that to Open in Discover, right? @joshdover

Yes, SGTM

[tonyghiani]

@juliaElastic @joshdover should this link go to the new Log Explorer experience based on Discover instead of navigating to normal Discover? If on the security serverless project the observabilityLogExplorer app is enabled (which I believe is the case), we should point the user there, what do you think?

[juliaElastic]

@juliaElastic @joshdover should this link go to the new Log Explorer experience based on Discover instead of navigating to normal Discover? If on the security serverless project the observabilityLogExplorer app is enabled (which I believe is the case), we should point the user there, what do you think?

Thanks for the suggestion, though Log Explorer is not available in security projects.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[kpollich]

LGTM - thank you for the tests. 🚀

[nchaulet]

Sorry I did not see that you were trying to use that capabilities settings from the client, you will have to whitelist it so it can be use here

[juliaElastic]

Sorry I did not see that you were trying to use that capabilities settings from the client, you will have to whitelist it so it can be use here

This was it, thanks! It works locally after adding here.

[juliaElastic]

Updated to show Open in Discover for observability project too, see reasoning here.

[nchaulet]

Should we use the cloud plugin isServerlessEnabled method instead of that condition it could be more robust, wdyt?

[juliaElastic]

updated, I tested by setting xpack.cloud.serverless.project_id: "1234" in serverless.yml, as the flag is based on that

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: ab5c748

Failed CI Steps

• Defend Workflows Cypress Tests on Serverless #1

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	1.2MB	1.2MB	+525.0B

History

• 💛 Build #165882 was flaky beed748
• 💛 Build #165818 was flaky 1559d15
• 💚 Build #165617 succeeded 142d9c4
• 💚 Build #165331 succeeded 44f5c63
• 💛 Build #165234 was flaky d6bc04b

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @juliaElastic

[nchaulet]

LGTM 🚀