Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GA support for reading from journald #37086

Open
12 of 19 tasks
cmacknz opened this issue Nov 10, 2023 · 29 comments
Open
12 of 19 tasks

GA support for reading from journald #37086

cmacknz opened this issue Nov 10, 2023 · 29 comments
Assignees
Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@cmacknz
Copy link
Member

cmacknz commented Nov 10, 2023

As of Debian 12 system logs are exclusively available via journald by default. Today we support reading journald logs via the Filebeat journald input, which is still in technical preview and has several major bugs filed against it. See https://github.com/elastic/beats/issues?q=is%3Aissue+is%3Aopen+journald notably:

We need to provide a GA way to read journald logs. There are two paths to this:

  1. Fix the major issues in the journald input and GA it as is. All integrations that previously read syslog files by default will need a conditional to specify that journald should be used instead of one of the log files on Linux (see example. Possibly this conditional will need to be on the Linux distribution and not just Linux as a platform.
  2. Fold the existing journald functionality into filestream, so that there is only one way to read log files and all existing uses of filestream to read system logs continue to work with no or minimal modification. In the ideal case we detect we are reading journald logs based on a .journal extension or well known file paths, but we may need a configuration flag for this. If we do end up with a configuration flag we could consider implementing journald support as a type of parser https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#_parsers

Edit:
Option 1 is the path forward, we'll keep the separate journald input.

To close this issue we'll need to:

Must have

Preview Give feedback
  1. Integration:journald Team:Elastic-Agent-Data-Plane
    mauri870
  2. Team:Elastic-Agent Team:Elastic-Agent-Data-Plane bug
    belimawr
  3. Filebeat Team:Elastic-Agent Team:Elastic-Agent-Data-Plane bug
    belimawr
  4. Team:Elastic-Agent-Data-Plane bug
    belimawr
  5. Team:Elastic-Agent-Data-Plane bug
    belimawr
  6. Team:Elastic-Agent-Data-Plane bug
    belimawr
  7. Team:Elastic-Agent-Data-Plane bug
    belimawr
  8. Integration:system
    belimawr

Nice to have

Preview Give feedback
  1. Team:Elastic-Agent-Data-Plane bug
    belimawr
  2. Team:Elastic-Agent docs
    belimawr
  3. Team:Elastic-Agent-Data-Plane bug
    belimawr
  4. Team:Elastic-Agent enhancement
  5. Team:Elastic-Agent-Data-Plane
  6. Team:Elastic-Agent-Data-Plane
  7. Team:Elastic-Agent-Data-Plane
    belimawr
  8. Team:Elastic-Agent-Data-Plane
    belimawr
  9. Team:Elastic-Agent-Data-Plane
    belimawr
  10. Integration:iptables Team:Elastic-Agent
    rdner
  11. Team:Elastic-Agent-Data-Plane
@cmacknz cmacknz added the Team:Elastic-Agent Label for the Agent team label Nov 10, 2023
@cmacknz
Copy link
Member Author

cmacknz commented Nov 10, 2023

@rdner I am interested to get your opinion on this given the amount of time you are spending trying to migrate and drive consistency between the log, filestream, and container input that already exist.

@leehinman
Copy link
Contributor

For Option1 do we have to provide a conditional? I think both inputs could be enabled at the same time, it would just have to be non-fatal for the source not to be present. For example you can enable both journald, logfile & udp in iptables integration all at the same time. (And UDP and journald are on by default)

@cmacknz
Copy link
Member Author

cmacknz commented Nov 14, 2023

If we don't have a conditional we risk duplicated logs. I think if we defaulted to always using both inputs we'd get a small amount of duplicated logs today on Debian 11, it looks like the kernal boot logs go to both journald and /var/log/

craig_mackenzie@cmackenzie-debian11-test:~$ journalctl
-- Journal begins at Tue 2023-11-14 20:15:17 UTC, ends at Tue 2023-11-14 20:19:35 UTC. --
Nov 14 20:15:17 debian kernel: Linux version 5.10.0-26-cloud-amd64 ([email protected]) (gcc-10 (D>
Nov 14 20:15:17 debian kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-5.10.0-26-cloud-amd64 root=UUID=62c0943b>
Nov 14 20:15:17 debian kernel: BIOS-provided physical RAM map:
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] reserved
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000000001000-0x0000000000054fff] usable
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000000055000-0x000000000005ffff] reserved
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000000060000-0x0000000000097fff] usable
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000000098000-0x000000000009ffff] reserved
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000bf8ecfff] usable
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bf8ed000-0x00000000bf9ecfff] reserved
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bf9ed000-0x00000000bfaecfff] type 20
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bfaed000-0x00000000bfb6cfff] reserved
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bfb6d000-0x00000000bfb7efff] ACPI data
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bfb7f000-0x00000000bfbfefff] ACPI NVS
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bfbff000-0x00000000bffdffff] usable
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x00000000bffe0000-0x00000000bfffffff] reserved
Nov 14 20:15:17 debian kernel: BIOS-e820: [mem 0x0000000100000000-0x000000013fffffff] usable
Nov 14 20:15:17 debian kernel: printk: bootconsole [earlyser0] enabled
Nov 14 20:15:17 debian kernel: NX (Execute Disable) protection: active
Nov 14 20:15:17 debian kernel: efi: EFI v2.70 by EDK II
Nov 14 20:15:17 debian kernel: efi: TPMFinalLog=0xbfbf7000 ACPI=0xbfb7e000 ACPI 2.0=0xbfb7e014 SMBIOS=0xbf9ca0>
Nov 14 20:15:17 debian kernel: secureboot: Secure boot disabled
Nov 14 20:15:17 debian kernel: SMBIOS 2.4 present.
Nov 14 20:15:17 debian kernel: DMI: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Nov 14 20:15:17 debian kernel: Hypervisor detected: KVM
Nov 14 20:15:17 debian kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00
Nov 14 20:15:17 debian kernel: kvm-clock: cpu 0, msr 78801001, primary cpu clock
Nov 14 20:15:17 debian kernel: kvm-clock: using sched offset of 7655756989 cycles
Nov 14 20:15:17 debian kernel: clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max>
Nov 14 20:15:17 debian kernel: tsc: Detected 2200.158 MHz processor
Nov 14 20:15:17 debian kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
Nov 14 20:15:17 debian kernel: e820: remove [mem 0x000a0000-0x000fffff] usable
Nov 14 20:15:17 debian kernel: last_pfn = 0x140000 max_arch_pfn = 0x400000000
Nov 14 20:15:17 debian kernel: MTRR default type: write-back
Nov 14 20:15:17 debian kernel: MTRR fixed ranges enabled:
Nov 14 20:15:17 debian kernel:   00000-9FFFF write-back
Nov 14 20:15:17 debian kernel:   A0000-FFFFF uncachable

craig_mackenzie@cmackenzie-debian11-test:~$ grep -rn 'kvm-clock: cpu 0, msr 78801001, primary cpu cloc' /var/log
grep: /var/log/journal/3465bc73197d954b92a16251605729f5/system.journal: binary file matches
grep: /var/log/private: Permission denied
grep: /var/log/btmp: Permission denied
/var/log/syslog:125:Nov 14 20:15:18 debian kernel: [    0.000000] kvm-clock: cpu 0, msr 78801001, primary cpu clock
/var/log/messages:27:Nov 14 20:15:18 debian kernel: [    0.000000] kvm-clock: cpu 0, msr 78801001, primary cpu clock
grep: /var/log/chrony: Permission denied
/var/log/kern.log:27:Nov 14 20:15:18 debian kernel: [    0.000000] kvm-clock: cpu 0, msr 78801001, primary cpu clock

Granted if someone set their logs path to /var/log/*.log they'd pick up these logs from both syslog.log and kern.log today anyway.

@cmacknz
Copy link
Member Author

cmacknz commented Nov 14, 2023

It also looks like the journald input is using go-systemd/sdjournal/ which is just wrapping the systemd journal C API:

https://github.com/coreos/go-systemd/blob/7d375ecc2b092916968b5601f74cca28a8de45dd/sdjournal/journal.go#L424-L434

func NewJournal() (j *Journal, err error) {
	j = &Journal{}

	sd_journal_open, err := getFunction("sd_journal_open")
	if err != nil {
		return nil, err
	}

	r := C.my_sd_journal_open(sd_journal_open, &j.cjournal, C.SD_JOURNAL_LOCAL_ONLY)

This wouldn't fit with the idea of just using a filestream parser for journald, at best we could just hide the entire journald input inside filestream so there's a single log input, but we'd probably still need dedicated configuration specific to reading journald files.

@cmacknz
Copy link
Member Author

cmacknz commented Nov 14, 2023

The default journald configuration that reads everything is only two lines so I think at this point I'm convinced that keeping the journald input and improving it is the best path:

# Read all journald logs
- type: journald
  id: everything

I don't think folding this into filestream will make filestream easier to use, or be easier to maintain.

@rdner
Copy link
Member

rdner commented Nov 15, 2023

To summarise what we discussed with @cmacknz on a call:

  1. I think we should detect whether the OS has journald in the agent and add a new variable in the host object for the integration templates to use it like we use the condition here https://github.com/elastic/integrations/blob/f1b08ddd00724eaf3b8d9eb9ef2221f8fc7eefc4/packages/system/data_stream/system/agent/stream/winlog.yml.hbs#L2C1-L2C41

  2. I think the users who use the agent are not interested in deep configuration, so the integrations should deal with logs in both files and journald seamlessly for the user.

  3. Users who run standalone Filebeat are used to manual configurations and should be able to take care of configuring the right input for the right OS/distribution – journald or filestream.

  4. journald should remain separate, it's not really compatible with the filestream architecture and consumes logs via special syscalls.

@andrewkroh
Copy link
Member

andrewkroh commented Jan 10, 2024

A few things that come to mind related to journald:

  • The input produces large events with lots of metadata. This could have an impact on storage usage. It also might make sense to drop some of the fields.
  • The input is not optimized for producing ECS fields. IIRC it does populate ECS fields but it also duplicates the same data into non-ECS fields. It would be much better to optimize the events coming out of the input before turning this on for users by default. All journald input users would benefit IMO.
  • To make reading data most efficient for each data stream (system.syslog and system.auth) ideally we would use journalctl filtering (e.g. system.auth might use _TRANSPORT=syslog). So we need to figure out if that associated data is available in journald and what are the appropriate filters that can be used to select it. Implementing filter in the Beat using processors would be less that ideal for efficiency. (Viewing the data with sudo journalctl -o export is a great way to determine what filtering might work).

@cmacknz
Copy link
Member Author

cmacknz commented Jan 11, 2024

Thanks, I think it would make sense to compare the events collected without the journald inputs to those collected with it for the sources needed by the system integration. If the event content is significantly different it will cause problems for dashboards and queries.

@andrewkroh
Copy link
Member

This is alluded to in some linked issues, but I wanted to explicitly mention that the journald library version in our container images is v245 (from Mar 6, 2020), and when deploying this image on Ubuntu 22.04 nodes, which uses v249, you can't collect logs from the host (no crashes, just no logs). My workaround has been to repack the filebeat binaries in with a more recent base image. We might want to consider bumping our base image as part of making this GA.

@belimawr
Copy link
Contributor

belimawr commented May 1, 2024

I found another bug, probably another blocker: #39352

It seems that if Filebeat falls too far behind with the Journal the input will crash shortly after starting.

@belimawr
Copy link
Contributor

belimawr commented May 1, 2024

#32782 and #39352 happen intermittently on my test environments, so far I did not manage to isolate them but they both are coming from a call to github.com/coreos/go-systemd/v22/sdjournal

entry, err := r.journal.GetEntry()

#39352 I only managed to reproduce with Journald systemd 252 (252.16-1.amzn2023.0.2)

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label May 5, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@belimawr
Copy link
Contributor

belimawr commented Jun 3, 2024

Now that we support reporting status per input when running under Elastic-Agent and given that Journald can cause Filebeat to crash (as detailed by #34077), I added a task to ensure we have input status reporting for Journald before we GA so we can better report unsupported Systemd versions.

@belimawr
Copy link
Contributor

belimawr commented Jun 6, 2024

Talking with @cmacknz the best course of action for those crashes is to use journalctl to read the journald logs instead of the current github.com/coreos/go-systemd/v22/sdjournal

I created an issue to track it: #39820

@cmacknz
Copy link
Member Author

cmacknz commented Jun 6, 2024

Direct use of journalctl is the approach currently used by the OTel collector, related discussion in open-telemetry/opentelemetry-collector-contrib#2332

@cmacknz
Copy link
Member Author

cmacknz commented Jun 18, 2024

From the comment in #37086 (comment) implying the documents the journald input produces are unlikely to be optimal today, we need to add a task to compare the structure and metadata of the logs collected by journald to those collected today from syslog with the log input and ensure we only see expected differences.

@belimawr
Copy link
Contributor

@cmacknz, @pierrehilbert I've been working on using journalctl to read journald logs and comparing the events generated by my POC implementation with our current implementation. With pretty little work, the generated events are the same, which is good news.

However, the filtering we have (include_matches) is pretty broken. The example in the documentation and the reference config file differ in syntax, none of them work as expected for our current implementation 😢

So far I could access that the problem is caused by two issues:

  1. The way we represent and parse the config keys
  2. The way we call go-systemd to add the filters

Bear in mind this include_matches is an advanced filtering, without using it we can already filter by unit, syslog identifier, facility, priority, match messages with grep-like patterns, etc.

Which brings me some product related questions:

  1. What is the minimum feature set to GA journald?
  2. Do we need to keep any of the current syntax for the advanced filtering?
  3. Given Journald input is not GA and is not working as expected, how far can we go with breaking changes?

Just to give an example, the following YAML:

include_matches:
  - and:
    - match:
      - FOO=bar
    - match:
      - BAR=bar
  - or:
    - match:
      - FOO_BAR=foo_bar

generates the following logic expression:

FOO_BAR=foo_bar OR FOO=foo AND BAR=bar AND

Yes, there is an AND without one of is operands, for some reason it does not break the input, but it does not produce the expected result.

I would expect the above YAML to produce the following logic expression:

(FOO=foo AND BAR=bar) OR (FOO_BAR=foo_bar)

Honestly, I don't think we should accept YAML above, it is confusing how the AND and OR relate to each other, which will lead users to make all sorts of mistakes.

@cmacknz
Copy link
Member Author

cmacknz commented Jun 27, 2024

The journald input is in technical preview, you can make whatever changes are needed breaking or not. That said, people are using it as is so don't make breaking changes that don't actually help.

Our end goal is not just to GA journald, it is to make Debian 12 based systems (and other distros that default to journald) work in our system integration. This means we want users to be able to get the same information out of journald that they would get out of syslog, without breaking any queries, dashboards, or alerts that already exist. So breaking changes need to be focused on the shape of the output data, and if it can be filtered in the same ways, and not on the input configuration syntax used to obtain it.

If we can make it so the journald input is a drop in replacement for the log input in the system integration with no configuration changes that is even better, but I'm not sure this will be possible.

@belimawr
Copy link
Contributor

Thanks @cmacknz, I'll take a look at the system integration on a Debian 12 host and what kind of filtering it uses for logs so I can draft the minimal requirements.

@belimawr
Copy link
Contributor

TL;DR: The standard journald input, with no filters will collect all the data we need, to correctly add the dataset we can rely on the syslog facility code journald already adds to the events and are already published in the current version of the journald input.

So for #39820 I'll focus on getting the core of the journald input working with journalctl with a good set of tests and leave advanced filtering to another task.

Long version:
I've been doing some testing with Debian 12 and research, here are the key findings:
1. rsyslogd ships the data to the traditional log files
The Debian documentation states about the system message:

Under systemd, the system logging utility rsyslogd(8) may be uninstalled. If it is installed, it changes its behavior to read the volatile binary log data (instead of pre-systemd default "/dev/log") and to create traditional permanent ASCII system log data. This can be customized by "/etc/default/rsyslog" and "/etc/rsyslog.conf" for both the log file and on-screen display. See rsyslogd(8) and rsyslog.conf(5).

The Debian 12 Vagrant box I've been using comes with rsyslogd installed and configured to forward the messages to the traditional log files, here is a snipped from /etc/rsyslog.conf where we can see the messages being directed to the files based on the log facility.

/etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        mail.none               -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail.none               -/var/log/messages

Wikipedia lists the facilities and their names.

With that information it should be easy to "migrate" the system integration to use the journald input and test all ingest pipelines/dashboards.

@nerijus
Copy link

nerijus commented Jun 27, 2024

A lot of systems do not have (and do not want) rsyslog installed, so please don't make it a requirement for reading from journald.

@pierrehilbert
Copy link
Collaborator

I agree with @nerijus here, this is the main reason we need to support journald itself: avoiding to force our users to install rsyslog.

@belimawr
Copy link
Contributor

A lot of systems do not have (and do not want) rsyslog installed, so please don't make it a requirement for reading from journald.

We won't ;). I just mentioned rsyslog as an easy means of testing/comparing the traditional log files harvesting and the journald on the same system. We won't make rsyslog a dependency for the journald input.

@belimawr
Copy link
Contributor

belimawr commented Aug 9, 2024

I'm not sure if that's critical to GA the journald input, but we should better support binary fields. So far I found them in two situations:

  1. Messages with control characters:
    "MESSAGE": [85,110,97,98,108,101,32,116,111,32,112,97,114,115,101,32,105,110,100,105,99,97,116,111,114,32,111,102,32,65,84,43,66,73,65,32,99,111,109,109,97,110,100,58,32,65,84,43,66,73,65,61,49,44,49,44,48,44,48,44,48,13,65,84,43,66,67,83,61,50],
  2. Actual binary blobs:
    "COREDUMP_PROC_AUXV": [33,0,0,0,0,0,0,0,0,80,245,145,254,127,0,0,51,0,0,0,0,0,0,0,48,14,0,0,0,0,0,0,16,0,0,0,0,0,0,0,255,251,235,191,0,0,0,0,6,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,17,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,64,240,154,102,56,86,0,0,4,0,0,0,0,0,0,0,56,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,128,235,198,39,127,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,96,43,155,102,56,86,0,0,11,0,0,0,0,0,0,0,232,3,0,0,0,0,0,0,12,0,0,0,0,0,0,0,232,3,0,0,0,0,0,0,13,0,0,0,0,0,0,0,232,3,0,0,0,0,0,0,14,0,0,0,0,0,0,0,232,3,0,0,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,137,165,239,145,254,127,0,0,26,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,227,191,239,145,254,127,0,0,15,0,0,0,0,0,0,0,153,165,239,145,254,127,0,0,27,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],

Anyway I created an issue for that: #40479

@andrewkroh
Copy link
Member

The input is not optimized for producing ECS fields. IIRC it does populate ECS fields but it also duplicates the same data into non-ECS fields. It would be much better to optimize the events coming out of the input before turning this on for users by default. All journald input users would benefit IMO.

I took a look at the current state of the fields produced by the input. My suggestions for aligning closer to ECS are in this table. Once we settle on mappings we should add a table to the input's documentation.

Current Name Proposed ECS Field Notes
message_id log.syslog.msgid https://www.elastic.co/guide/en/ecs/current/ecs-log.html#field-log-syslog-msgid
syslog.priority log.syslog.priority https://www.elastic.co/guide/en/ecs/current/ecs-log.html#field-log-syslog-priority
syslog.facility log.syslog.facility.code
syslog.identifier log.syslog.appname
syslog.pid log.syslog.procid
systemd.cgroup Leave as is?
systemd.invocation_id Leave as is?
systemd.owner_uid Leave as is?
systemd.session Leave as is?
systemd.slice Leave as is?
systemd.unit Leave as is?
systemd.user_slice Leave as is?
systemd.user_unit Leave as is?
systemd.transport Leave as is?
container.id_truncated Already have container.id, not need to also have id_truncated. Drop this field.
container.log.tag Don't need it because it is duplicated into the SYLOG_IDENTIFER (https://docs.docker.com/engine/logging/drivers/journald/). Drop this field.
container.partial Means that the message was truncated. The value is a boolean "true". The input could append("tags", "partial_message") if CONTAINER_PARTIAL_MESSAGE == "true". We should not be adding fields into the container namespace that are not part of ECS.

@belimawr
Copy link
Contributor

belimawr commented Oct 2, 2024

I found an issue with our current (main, 8.x) journald input implementation: #41083

I've already added it to the must have list for GA. The previous implementation did not have this problem. I already have an idea of how to fix it and how to test it.

@belimawr
Copy link
Contributor

belimawr commented Nov 12, 2024

I came across a case where host.hostname coming from the journal event is overwritten by the hostname from the machine running filebeat, that's not directly a Filebeat issue because a standalone Filebeat can easily circumvent that, however for Elastic-Agent it can be an issue.

I don't think it's a blocker, but we should at least document it.

GitHub issue: elastic/integrations#11717
Discuss thread: https://discuss.elastic.co/t/cant-get-host-name-from-filebeat-input-by-journad-mode/370296/

@cmacknz
Copy link
Member Author

cmacknz commented Nov 12, 2024

I came across a case where host.hostname coming from the journal event is overwritten by the hostname from the machine running filebeat, that's not directly a Filebeat issue because a standalone Filebeat can easily circumvent that, however for Elastic-Agent it can be an issue.

We ideally would not do this and should track this in a separate issue. This breaks use cases where we receive journald logs from a remote host.

I think this was handled in other places by defining a forwarded tag that excludes the event from the add_host_metadata default processor. See here and here for agent.

@belimawr
Copy link
Contributor

I think this was handled in other places by defining a forwarded tag that excludes the event from the add_host_metadata default processor. See here and here for agent.

I saw that, that's also what I recommended in the disucss thread, however I'm not sure what is the best approach to "solve" this issue: Do we add the forwarded tag by default in the integration? Do we just add a toggle for it and document the behaviour?

My gut feeling tells me we should use different fields, at least in this context of one Filebeat ingesting logs from multiple hosts.

I'll centralise this discussion on a single issue because it's affecting multiple projects in different ways.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Development

No branches or pull requests

8 participants