Journald input only ingests events from the current boot

[belimawr]

• Affected version: main (it will be released in 8.16.0)
• Operating System: Linux

Since we migrated to using journalctl to read journal logs we're only ingesting the logs from the current boot. That happens because when we call journalctl with the -f flag, it only returns logs from the current boot.

How to reproduce

1. Download a 8.16.0 snapshot or build Filebeat from main

2. Create the following filebeat.yml

   filebeat.yml

   filebeat.inputs:
     - type: journald
       id: my-journald-input
   
   output:
     file:
       path: ${path.home}
       filename: output
       rotate_every_kb: 1000000 #1Gb

3. Start Filebeat

4. Check the different boots in the events

   cat output-*|jq '.journald.host.boot_id'|uniq

You will find only a single boot ID.

Repeat the same procedure with Filebeat 8.15.2, there will be multiple boot IDs

How to test

1. Make sure there is more than one boot on your journal by running:

root@vagrant-debian-12:~/filebeat# journalctl --list-boots
IDX BOOT ID                          FIRST ENTRY                 LAST ENTRY                 
 -5 4a6190928ecb475cabbce67f5c1b5004 Tue 2024-09-17 13:44:16 UTC Wed 2024-09-18 02:17:01 UTC
 -4 7d0d965365c4452a867497dc402d6892 Fri 2024-09-20 16:00:46 UTC Fri 2024-09-20 16:42:30 UTC
 -3 de7cb6dc8aeb432890fc74065d69fad6 Fri 2024-09-20 16:42:36 UTC Sun 2024-09-22 07:41:50 UTC
 -2 3bef166cbe6a40978cc160b6251ffa1a Tue 2024-10-01 13:56:57 UTC Tue 2024-10-01 18:17:01 UTC
 -1 3c7d7cbf5c59454581c6f24b8a84323f Tue 2024-10-01 20:14:38 UTC Tue 2024-10-01 21:28:33 UTC
  0 9cf28a5f90024748a2982c4166feb28a Tue 2024-10-01 21:28:59 UTC Wed 2024-10-02 05:17:01 UTC
root@vagrant-debian-12:~/filebeat# 

example.journal.tar.gz contains 6 entries from 3 different boots:

root@vagrant-debian-12:~# journalctl --file ./example.journal 
Oct 01 21:28:33 vagrant-debian-12 systemd-journald[261]: Received SIGTERM from PID 1 (systemd-shutdow).
Oct 01 21:28:33 vagrant-debian-12 systemd-journald[261]: Journal stopped
-- Boot 3bef166cbe6a40978cc160b6251ffa1a --
Oct 01 18:17:01 vagrant-debian-12 CRON[2576]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Oct 01 18:17:01 vagrant-debian-12 CRON[2575]: pam_unix(cron:session): session closed for user root
-- Boot 9cf28a5f90024748a2982c4166feb28a --
Oct 02 05:13:14 vagrant-debian-12 chronyd[535]: Selected source 204.2.134.162 (2.debian.pool.ntp.org)
Oct 02 05:13:14 vagrant-debian-12 chronyd[535]: System clock wrong by 4750.871819 seconds

You can also validate that when the -f option is passed only the last boot is returned:

root@vagrant-debian-12:~# journalctl --file ./example.journal  -f --no-tail
Oct 02 05:13:14 vagrant-debian-12 chronyd[535]: Selected source 204.2.134.162 (2.debian.pool.ntp.org)
Oct 02 05:13:14 vagrant-debian-12 chronyd[535]: System clock wrong by 4750.871819 seconds
root@vagrant-debian-12:~# 

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)