[Enhancement] Add Preserve event.original option to Kubernetes container and audit logs

packages/kubernetes/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.85.2"
+  changes:
+    - description: Add preserve_original_event option to manifest of audit_logs and container_logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/18215
 - version: "1.85.1"
   changes:
     - description: Add container_logs system tests and update base-fields.yml

packages/kubernetes/data_stream/audit_logs/agent/stream/stream.yml.hbs

@@ -12,6 +12,9 @@ processors:
 {{processors}}
 {{/if}}
 tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
 {{#each tags as |tag|}}
   - {{tag}}
 {{/each}}

packages/kubernetes/data_stream/audit_logs/manifest.yml

@@ -183,7 +183,7 @@ streams:
 
       - name: preserve_original_event
         required: true
-        show_user: true
+        show_user: false
         title: Preserve original event
         description: Preserves a raw copy of the original event, added to the field `event.original`
         type: bool
@@ -476,3 +476,11 @@ streams:
         multi: false
         required: false
         show_user: false
+      - name: preserve_original_event
+        required: false
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false

packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs

@@ -33,6 +33,14 @@ parsers:
     format: {{ containerParserFormat }}
 {{ additionalParsersConfig }}
 
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+
 processors:
 {{!
   Why do we need to add the following processors?

packages/kubernetes/data_stream/container_logs/manifest.yml

@@ -16,7 +16,6 @@ streams:
           for details on how to set the ID to avoid data duplication.
         type: text
         show_user: false
-
       - name: paths
         type: text
         required: true
@@ -112,6 +111,22 @@ streams:
 
         type: yaml
         default: ""
+      - name: preserve_original_event
+        required: false
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false   
+        show_user: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: false
+        show_user: true
+        default:          
 # Ensures agents have permissions to write data to `logs-*-*`
 elasticsearch:
   dynamic_dataset: true

packages/kubernetes/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.1.2
 name: kubernetes
 title: Kubernetes
-version: 1.85.1
+version: 1.85.2
 description: Collect logs and metrics from Kubernetes clusters with Elastic Agent.
 type: integration
 categories: