Skip to content

[9.1](backport #47324) [Filebeat/Journald] Use --boot=all #47360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 28, 2025
Merged

[9.1](backport #47324) [Filebeat/Journald] Use --boot=all #47360

merged 2 commits into from
Oct 28, 2025

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Oct 27, 2025

Proposed commit message

This commit uses the --boot=all argument instead of the workaround of
running journalctl twice:
- The first time without --follow to read all boots
- Then restarting it with --follow + cursor to follow the new messages

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

## Disruptive User Impact

## Author's Checklist

How to test this PR locally

Run all Journald tests

cd filebeat
go test -count=1 -v ./input/journald/...
mage buildSystemTestBinary
go test -count=1 -v -tags=integration -run=TestJournald ./tests/integration

Manual tests

You will need a Linux machine (or VM) with multiple boots on its journal, to check you can run:

journalctl --boot=-1
journalctl --boot=-2

And ensure the first few log lines have different timestamps.

For this test you can use any output that allows you to inspect the data, for this example I'll use Elasticsearch deployed using elastic-package.

  1. Get Elasticsearch and Kibana up and running

    elastic-package stack up -d

  2. Deploy Filebeat with the following configuration

    filebeat.yaml 

    filebeat.inputs:
  - type: journald
    id: foo

output.elasticsearch:
  hosts:
    - https://localhost:9200
  ssl.verification_mode: none
  username: elastic
  password: changeme

logging:
  to_stderr: true

  3. Go to Kibana and open Dev Tools

  4. Run the following query

    POST /filebeat-*/_search
{
  "size": 0,
  "aggs": {
    "boot_id_aggregation": {
      "terms": {
        "field": "journald.host.boot_id"
      }
    }
  }
}

    Once enough data is ingested, you should have multiple buckets
    returned.

  5. Look at the logs and ensure there is only one log entry from when
    journalctl is started, it looks like:

    {
  "@timestamp": "2025-10-24T16:25:35.368-0400",
  "ecs.version": "1.6.0",
  "id": "1479199F3BEFB739",
  "input_id": "",
  "input_source": "LOCAL_SYSTEM_JOURNAL",
  "log.level": "info",
  "log.logger": "input.journald.reader.journalctl-runner",
  "log.origin": {
    "file.line": 146,
    "file.name": "journalctl/journalctl.go",
    "function": "github.com/elastic/beats/v7/filebeat/input/journald/pkg/journalctl.Factory"
  },
  "message": "journalctl started with PID 3135917",
  "path": "LOCAL_SYSTEM_JOURNAL",
  "service.name": "filebeat"
}

Related issues

## Use cases
## Screenshots
## Logs

This is an automatic backport of pull request #47324 done by [Mergify](https://mergify.com).

@belimawr @mergify
[Filebeat/Journald] Use --boot=all (#47324)
25f619f 
This commit uses the --boot=all argument instead of the workaround of
running journalctl twice:
- The first time without --follow to read all boots
- Then restarting it with --follow + cursor to follow the new messages

(cherry picked from commit 599d253)

# Conflicts:
#	filebeat/tests/integration/journald_test.go
@mergify mergify bot requested a review from a team as a code owner October 27, 2025 19:44
@mergify mergify bot added backport conflicts There is a conflict in the backported pull request labels Oct 27, 2025
@mergify mergify bot requested review from belimawr and rdner and removed request for a team October 27, 2025 19:44
@mergify
Copy link
Contributor Author

mergify bot commented Oct 27, 2025

Cherry-pick of 599d253 has failed:

On branch mergify/bp/9.1/pr-47324
Your branch is up to date with 'origin/9.1'.

You are currently cherry-picking commit 599d253c0.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   filebeat/input/journald/environment_test.go
	modified:   filebeat/input/journald/input_test.go
	modified:   filebeat/input/journald/pkg/journalctl/jctlmock_test.go
	modified:   filebeat/input/journald/pkg/journalctl/journalctl.go
	modified:   filebeat/input/journald/pkg/journalctl/reader.go
	modified:   filebeat/input/journald/pkg/journalctl/reader_test.go
	modified:   libbeat/tests/integration/framework.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   filebeat/tests/integration/journald_test.go

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 27, 2025
@mergify mergify bot mentioned this pull request Oct 27, 2025
Merged
7 tasks
@github-actions
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@github-actions github-actions bot added Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team skip-changelog labels Oct 27, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 27, 2025
@belimawr belimawr merged commit 32521a1 into 9.1 Oct 28, 2025
204 of 207 checks passed
@belimawr belimawr deleted the mergify/bp/9.1/pr-47324 branch October 28, 2025 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@belimawr belimawr belimawr approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@belimawr belimawr

Labels

backport conflicts There is a conflict in the backported pull request skip-changelog Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elasticmachine @belimawr