beats
beats copied to clipboard
elastic
Read journal entries from all boots
Proposed commit message
Some versions of journalctl will only return messages from the current boot when --follow is passed, it will even ignore the cursor or date arguments.
This commit reads messages from all boots by first calling journalctl without the --follow flag, reading all entries and once it successfully exits, then we restart journalctl with the cursor and the --follow flag.
Checklist
- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] ~~I have made corresponding changes to the documentation~~
- [ ] ~~I have made corresponding change to the default configuration files~~
- [x] I have added tests that prove my fix is effective or that my feature works
- [x] I have added an entry in
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.
~~## Disruptive User Impact~~
Author's Checklist
- [x] Ensure
TestInputParsersfromfilebeat/input/journald/input_parsers_test.gois not flaky - [x] Add tests to ensure messages from all boots are read
- [ ] Check whether the restart of journalclt can cause problems with multiline parser (see https://github.com/elastic/beats/issues/41331)
How to test this PR locally
1. Run the tests
cd filebeat/input/journald
go test -run=TestInputCanReadAllBoots
2. Run Filebeat reading filebeat/input/journald/testdata/multiple-boots.journal
There must be 6 entries, you can see the plaintext entries by looking at filebeat/input/journald/testdata/multiple-boots.export or by running:
journalctl --file filebeat/input/journald/testdata/multiple-boots.export
3. Fully manual test
- Run the journald input on a machine (or a journal file) that has got messages from more than one boot
- Ensure all messages in the journal are correctly ingested.
Related issues
- Closes https://github.com/elastic/beats/issues/41083
~~## Use cases~~ ~~## Screenshots~~ ~~## Logs~~
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b 41083-journald-input-all-boots upstream/41083-journald-input-all-boots
git merge upstream/main
git push upstream 41083-journald-input-all-boots
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @belimawr? 🙏. For such, you'll need to label your PR with:
- The upcoming major version of the Elastic Stack
- The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)
To fixup this pull request, you need to add the backport labels for the needed branches, such as:
backport-8./dis the label to automatically backport to the8./dbranch./dis the digit
backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b 41083-journald-input-all-boots upstream/41083-journald-input-all-boots
git merge upstream/main
git push upstream 41083-journald-input-all-boots
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b 41083-journald-input-all-boots upstream/41083-journald-input-all-boots
git merge upstream/main
git push upstream 41083-journald-input-all-boots