Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[System module] Only one instance of Journald runs when both syslog and auth filesets are enabled #41378

Open
belimawr opened this issue Oct 22, 2024 · 1 comment · May be fixed by #41381
Open

[System module] Only one instance of Journald runs when both syslog and auth filesets are enabled #41378

belimawr opened this issue Oct 22, 2024 · 1 comment · May be fixed by #41381
Assignees
@belimawr
Labels
bug Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@belimawr
Copy link
Contributor

belimawr commented Oct 22, 2024
edited
Loading

  1. Branch off main and merge onto it:
    i. Read journal entries from all boots #41244
    ii. system-logs input ignores folders and add tests #41296
    iii. Add the missing process.name field to System module, Syslog fileset #41354

  2. Package Filebeat

  3. Run the setup command

    ./filebeat setup --modules system

  4. Run Filebeat with the following filebeat.yml and modules.d/system.yml

    filebeat.yml

    filebeat.inputs:
  - type: journald
    id: my-journald-normal-input
    tags:
       - journald-input
  - type: filestream
    id: my-filestream-id
    paths:
      - /tmp/flog.log

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
  reload.period: 1s

setup.template:
  settings:
    index.number_of_shards: 1

setup.kibana:
  host: "http://kibana:5601"
  username: admin
  password: testing
  ssl.verification_mode: none

output.elasticsearch:
  hosts: ["http://elasticsearch:9200"]
  preset: latency
  protocol: "http"

  username: admin
  password: testing
  ssl.verification_mode: none

    modules.d/system.yml 

    - module: system
  syslog:
    enabled: true
    var.use_journald: true
    input:
      tags:
        - from-journald

  auth:
    enabled: true
    var.use_journald: true
    var.tags:
      - from-journald

  5. Go to Discover in Kibana, filter by tags: from-journald

  6. Look at fileset.name from the events, there will be only one fileset instead of two, it's random

  7. GOTO 1, you might find a different fileset on 5.
@belimawr belimawr added bug Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Oct 22, 2024
@belimawr belimawr self-assigned this Oct 22, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@belimawr belimawr linked a pull request Oct 22, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@belimawr belimawr

Labels
bug Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix system module with both filesets enabled belimawr/beats
2 participants
@belimawr @elasticmachine