Read journal entries from all boots #41244
Conversation
belimawr
added
bug
skip-ci
botelastic
bot
added
needs_team
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
|
mergify
bot
added
the
backport-8.x
belimawr
force-pushed
the
41083-journald-input-all-boots
branch
from
c6cee3e
to
2c39ac0
Compare
belimawr
force-pushed
the
41083-journald-input-all-boots
branch
from
21360eb
to
30c8299
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
Some versions of journalctl will only return messages from the current boot when --follow is passed, it will even ignore the cursor or date arguments. This commit reads messages from all boots by first calling journalctl without the --follow flag, reading all entries and once it successfully exits, then we restart journalctl with the cursor and the --follow flag.
This commit updates the parse test to use ndjson parser instead of multiline because the multiline parser can have issues when journald input is reading from files. There is a corner case where the journalctl exits successfully and the reader goroutine gets an error, this makes Next to return early, making the multiline to also return early. So far I have only seen this happening when reading from file and at the very end of the file, hence it does not seem to be a critical bug.
belimawr
force-pushed
the
41083-journald-input-all-boots
branch
from
6012cb8
to
1a91677
Compare
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
pierrehilbert
requested review from
mauri870
and removed request for
khushijain21
| // The JSON in the test journal is: '{"foo": "bar", "answer":42}' | ||
| expectedFoo := "bar" | ||
| expectedAnswer := int64(42) | ||
| if foo != expectedFoo { | ||
| t.Errorf("expecting foo to be '%s' got '%s' instead", expectedFoo, foo) | ||
| } | ||
| if answer != expectedAnswer { | ||
| t.Errorf("expecting foo to be '%d' got '%d' instead", expectedAnswer, answer) | ||
| } |
There was a problem hiding this comment.
NIT: You might be able to simplify this by using assert.JSONEq
There was a problem hiding this comment.
8 megabytes is quite huge to put under version control, is that standard behavior for test files?
There was a problem hiding this comment.
I guess the alternative is to only run the test on journald-enabled systems and compare with the live output.
Proposed commit message
Some versions of journalctl will only return messages from the current boot when --follow is passed, it will even ignore the cursor or date arguments.
This commit reads messages from all boots by first calling journalctl without the --follow flag, reading all entries and once it successfully exits, then we restart journalctl with the cursor and the --follow flag.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.## Disruptive User ImpactAuthor's Checklist
TestInputParsersfromfilebeat/input/journald/input_parsers_test.gois not flakyHow to test this PR locally
1. Run the tests
2. Run Filebeat reading
filebeat/input/journald/testdata/multiple-boots.journalThere must be 6 entries, you can see the plaintext entries by looking at
filebeat/input/journald/testdata/multiple-boots.exportor by running:3. Fully manual test
Related issues
## Use cases## Screenshots## Logs