Read journal entries from all boots

[belimawr]

Proposed commit message

Some versions of journalctl will only return messages from the current boot when --follow is passed, it will even ignore the cursor or date arguments.

This commit reads messages from all boots by first calling journalctl without the --follow flag, reading all entries and once it successfully exits, then we restart journalctl with the cursor and the --follow flag.

Checklist

• [x] My code follows the style guidelines of this project
• [x] I have commented my code, particularly in hard-to-understand areas
• [ ] ~~I have made corresponding changes to the documentation~~
• [ ] ~~I have made corresponding change to the default configuration files~~
• [x] I have added tests that prove my fix is effective or that my feature works
• [x] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

~~## Disruptive User Impact~~

Author's Checklist

• [x] Ensure TestInputParsers from filebeat/input/journald/input_parsers_test.go is not flaky
• [x] Add tests to ensure messages from all boots are read
• [ ] Check whether the restart of journalclt can cause problems with multiline parser (see https://github.com/elastic/beats/issues/41331)

How to test this PR locally

1. Run the tests

cd filebeat/input/journald
go test -run=TestInputCanReadAllBoots

2. Run Filebeat reading filebeat/input/journald/testdata/multiple-boots.journal

There must be 6 entries, you can see the plaintext entries by looking at filebeat/input/journald/testdata/multiple-boots.export or by running:

journalctl --file filebeat/input/journald/testdata/multiple-boots.export

3. Fully manual test

1. Run the journald input on a machine (or a journal file) that has got messages from more than one boot
2. Ensure all messages in the journal are correctly ingested.

Related issues

• Closes https://github.com/elastic/beats/issues/41083

~~## Use cases~~ ~~## Screenshots~~ ~~## Logs~~