Auditd package: revert back change to dynamic_dataset/namespace

[gsantoro]

What does this PR do?

Revert back changes from issue elastic/kibana#157897.

Removing the following configs from the system package manifest

elasticsearch.dynamic_dataset: true
elasticsearch.dynamic_namespace: true

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Relates add flags to give permissions to write to any dataset and namespace kibana#157897

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-07-04T10:53:58.811+0000

• Duration: 15 min 5 sec

Test stats 🧪

Test	Results
Failed	0
Passed	9
Skipped	0
Total	9

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (15/15)	💚 14.286
Lines	97.985% (2140/2184)	👍 4.214
Conditionals	100.0% (0/0)	💚

[andrewkroh]

Can you please point me to an issue or comment somewhere that explains why these changes are being reverted. It wasn't obvious to me from looking at the linked issues.

If you do end up adding this back, could you please not use the dotted key format (relates to elastic/package-spec#538). i.e.

elasticsearch:
  dynamic_dataset: true
  dynamic_namespace: true

[gsantoro]

Actually, now that we discuss this further, I think we shouldn't revert these changes.

This integration is tailing the actual audits and not the logs of the auditd application. This datastream should eventually be an input package but for a similar reason why we decided to not rever the changes for kubernetes.container_logs, we shouldn't revert this change either.

@felixbarny and @ruflin do you agree to close this PR and not merge it?

[felixbarny]

sgtm

[gsantoro]

I'm closing this PR without merging it. Reason at #6808 (comment).

[andrewkroh]

This datastream should eventually be an input package

auditd does not seem like it should be an input package IMO. It's not a generic input type that you would be applying to different sources. It specifically reads the output of the Linux auditd daemon. This makes me wonder why we would need elasticsearch.dynamic_dataset and elasticsearch.dynamic_namespace in the first place. I think it would be best to continue with this and remove them.