search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.18k stars 4.92k forks source link

[System module] Only one instance of Journald runs when both syslog and auth filesets are enabled #41378

Open belimawr opened 4 days ago

belimawr commented 4 days ago

  1. Branch off main and merge onto it: i. https://github.com/elastic/beats/pull/41244 ii. https://github.com/elastic/beats/pull/41296 iii. https://github.com/elastic/beats/pull/41354

  2. Package Filebeat

  3. Run the setup command

    ./filebeat setup --modules system

  4. Run Filebeat with the following filebeat.yml and modules.d/system.yml

    filebeat.yml

    ```yaml filebeat.inputs: - type: journald id: my-journald-normal-input tags: - journald-input - type: filestream id: my-filestream-id paths: - /tmp/flog.log filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false reload.period: 1s setup.template: settings: index.number_of_shards: 1 setup.kibana: host: "http://kibana:5601" username: admin password: testing ssl.verification_mode: none output.elasticsearch: hosts: ["http://elasticsearch:9200"] preset: latency protocol: "http" username: admin password: testing ssl.verification_mode: none ```

    modules.d/system.yml

    ```yaml - module: system syslog: enabled: true var.use_journald: true input: tags: - from-journald auth: enabled: true var.use_journald: true var.tags: - from-journald ```

  5. Go to Discover in Kibana, filter by tags: from-journald

  6. Look at fileset.name from the events, there will be only one fileset instead of two, it's random

  7. GOTO 1, you might find a different fileset on 5.

elasticmachine commented 4 days ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)