I see from the docs that the Journald input for Filebeat is still in techncial preview? How long is it expected to stay in technical preview?
It's not like Journald is new or anything? Have been waiting on the ability to ingest journald logs for 9 years now
@duncaninnes it sounds like it's close - I've been troubleshooting a journald input issue recently which led me to this, where devs discuss the remaining blockers to going GA:
opened 09:29PM - 10 Nov 23 UTC
Team:Elastic-Agent
- Relates https://github.com/elastic/elastic-agent/issues/3650
As of Debian 1… 2 system logs are exclusively available via journald by default. Today we support reading journald logs via the Filebeat [journald input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-journald.html), which is still in technical preview and has several major bugs filed against it. See https://github.com/elastic/beats/issues?q=is%3Aissue+is%3Aopen+journald notably:
- [ ] https://github.com/elastic/beats/issues/34077
- [ ] https://github.com/elastic/beats/issues/32782
- [ ] https://github.com/elastic/beats/issues/30398
We need to provide a GA way to read journald logs. There are two paths to this:
1. Fix the major issues in the journald input and GA it as is. All integrations that previously read syslog files by default will need a conditional to specify that journald should be used instead of one of the log files on Linux (see [example](https://github.com/elastic/integrations/blob/9dcd6eac196eed413eff898c1ecbc46fe1d745e1/packages/iptables/data_stream/log/agent/stream/journald.yml.hbs#L1). Possibly this conditional will need to be on the Linux distribution and not just Linux as a platform.
2. ~Fold the existing journald functionality into filestream, so that there is only one way to read log files and all existing uses of filestream to read system logs continue to work with no or minimal modification. In the ideal case we detect we are reading journald logs based on a .journal extension or well known file paths, but we may need a configuration flag for this. If we do end up with a configuration flag we could consider implementing journald support as a type of parser https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#_parsers~
Edit:
Option 1 is the path forward, we'll keep the separate journald input.
To close this issue we'll need to:
```[tasklist]
### Tasks
- [ ] https://github.com/elastic/beats/issues/34077
- [ ] https://github.com/elastic/beats/issues/32782
- [ ] https://github.com/elastic/beats/issues/30398
- [ ] https://github.com/elastic/beats/issues/37876
- [ ] https://github.com/elastic/beats/issues/37877
- [ ] https://github.com/elastic/integrations/issues/9067
```
system
March 29, 2024, 6:27pm
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
