Loading

Journald Input

Version 1.2.1 (View all)
Compatible Kibana version(s) 8.8.0 or higher
9.0.0 or higher
Supported Serverless project types
What's this?
Security
Observability
Subscription level
What's this?
Basic
Level of support
What's this?
Elastic

The journald input integration reads logs from the journald system service. The journald input reads the log data and the metadata associated with it.

The journald input is available on Linux systems with systemd installed.

To read Journald logs from within a container, you need to use a Docker image variant that contains journalctl binary. The variant supporting Journald is elastic-agent-complete.

Journal files can have breaking changes making it impossible to read files generated by a newer versions of Journald. Ensure the journal files you are reading were generated by a version equal to or older than the journalctl shipped with the Docker image.

To check the version of journalctl shipped with an Elastic-Agent Docker image, run the following command:

docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete:<VERSION>  --version

An example event looks as follows:

{
    "@timestamp": "2020-07-22T13:17:10.012Z",
    "agent": {
        "ephemeral_id": "f7858fe6-ce04-46d6-83c3-f45a4e019395",
        "id": "26693255-8a33-48c9-87cc-3d5f846c4bcd",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.11.0"
    },
    "data_stream": {
        "dataset": "journald.logs",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.0.0"
    },
    "elastic_agent": {
        "id": "26693255-8a33-48c9-87cc-3d5f846c4bcd",
        "snapshot": true,
        "version": "8.11.0"
    },
    "event": {
        "agent_id_status": "verified",
        "code": "ec387f577b844b8fa948f33cad9a75e6",
        "created": "2023-10-02T18:19:38.048Z",
        "dataset": "journald.logs",
        "ingested": "2023-10-02T18:19:41Z",
        "kind": "event"
    },
    "host": {
        "hostname": "sleipnir",
        "id": "505afdafda3b4f33a63749ae39284742"
    },
    "input": {
        "type": "journald"
    },
    "journald": {
        "custom": {
            "available": "0",
            "available_pretty": "0B",
            "current_use": "1023455232",
            "current_use_pretty": "976.0M",
            "disk_available": "6866636800",
            "disk_available_pretty": "6.3G",
            "disk_keep_free": "1466253312",
            "disk_keep_free_pretty": "1.3G",
            "journal_name": "System journal",
            "journal_path": "/var/log/journal/505afdafda3b4f33a63749ae39284742",
            "limit": "977502208",
            "limit_pretty": "932.2M",
            "max_use": "977502208",
            "max_use_pretty": "932.2M"
        },
        "gid": 0,
        "host": {
            "boot_id": "fa3c2e3080dc4cd5be5cb5a43e140d51"
        },
        "pid": 19317,
        "process": {
            "capabilities": "25402800cf",
            "command_line": "/lib/systemd/systemd-journald",
            "executable": "/lib/systemd/systemd-journald",
            "name": "systemd-journal"
        },
        "uid": 0
    },
    "log": {
        "syslog": {
            "appname": "systemd-journald",
            "facility": {
                "code": 3
            },
            "priority": 6
        }
    },
    "message": "System journal (/var/log/journal/505afdafda3b4f33a63749ae39284742) is 976.0M, max 932.2M, 0B free.",
    "process": {
        "args": [
            "/lib/systemd/systemd-journald"
        ],
        "args_count": 1,
        "command_line": "/lib/systemd/systemd-journald",
        "pid": 19317,
        "thread": {
            "capabilities": {
                "effective": [
                    "CAP_CHOWN",
                    "CAP_DAC_OVERRIDE",
                    "CAP_DAC_READ_SEARCH",
                    "CAP_FOWNER",
                    "CAP_SETGID",
                    "CAP_SETUID",
                    "CAP_SYS_PTRACE",
                    "CAP_SYS_ADMIN",
                    "CAP_AUDIT_CONTROL",
                    "CAP_MAC_OVERRIDE",
                    "CAP_SYSLOG",
                    "CAP_AUDIT_READ"
                ]
            }
        }
    },
    "systemd": {
        "cgroup": "/system.slice/systemd-journald.service",
        "invocation_id": "7c11cda63635437bafe21c92851618a8",
        "slice": "system.slice",
        "transport": "driver",
        "unit": "systemd-journald.service"
    },
    "tags": [
        "forwarded"
    ],
    "user": {
        "group": {
            "id": "0"
        },
        "id": "0"
    }
}