[8.x](backport #41555) Journald support for System module

[mergify[bot]]

Proposed commit message

This commit adds journald support for the System module, both filesets now have a use_journald variable that can be set to force using Journald to ingest syslog and auth logs.

The ingest pipelines are updated, now there is an entrypoint pipeline that selects the correct one according to the field input.type.

System tests are also added.

Checklist

• [x] My code follows the style guidelines of this project
• [x] I have commented my code, particularly in hard-to-understand areas
• [x] I have made corresponding changes to the documentation
• [x] I have made corresponding change to the default configuration files
• [x] I have added tests that prove my fix is effective or that my feature works
• [x] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

## Disruptive User Impact

Author's Checklist

• [x] Ensure the journald input is ingesting data correctly

How to test this PR locally

1. Package Filebeat from this PR
2. Configure the ES output and Kibana credentials
3. Enable the system module (./filebeat modules enable system), set var.use_journald: true for both filesets (edit modules.d/system.yml)
4. Setup the assets: ./filebeat setup --modules system (this requires Kibana credentials correctly set)
5. Run Filebeat as root
6. Look at the logs in the filebeat-* data view, filter by event.dataset: system.syslog or event.dataset: system.auth, ensure the logs are correctly ingested
7. Look at the system module dashboards, ensure they're working/show data.

Related issues

• Closes https://github.com/elastic/beats/issues/40526

## Use cases

Screenshots

Dashboards, journald and logs side by side

   

Events, journald and logs side by side


## Logs

---

This is an automatic backport of pull request #41555 done by Mergify.

[botelastic[bot]]

This pull request doesn't have a Team:<team> label.