elastic
diff --git a/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎filebeat/docs/include/use-journald.asciidoc‎
Lines changed: 4 additions & 0 deletions b/‎filebeat/docs/include/use-journald.asciidoc‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎filebeat/docs/modules/system.asciidoc‎
Lines changed: 2 additions & 0 deletions b/‎filebeat/docs/modules/system.asciidoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎filebeat/filebeat.reference.yml‎
Lines changed: 6 additions & 0 deletions b/‎filebeat/filebeat.reference.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎filebeat/module/system/README.md‎
Lines changed: 14 additions & 0 deletions b/‎filebeat/module/system/README.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎filebeat/module/system/_meta/config.reference.yml‎
Lines changed: 6 additions & 0 deletions b/‎filebeat/module/system/_meta/config.reference.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎filebeat/module/system/_meta/config.yml‎
Lines changed: 6 additions & 0 deletions b/‎filebeat/module/system/_meta/config.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎filebeat/module/system/_meta/docs.asciidoc‎
Lines changed: 2 additions & 0 deletions b/‎filebeat/module/system/_meta/docs.asciidoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎filebeat/module/system/auth/config/auth.yml‎
Lines changed: 9 additions & 1 deletion b/‎filebeat/module/system/auth/config/auth.yml‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎filebeat/module/system/auth/ingest/entrypoint.yml‎
Lines changed: 9 additions & 0 deletions b/‎filebeat/module/system/auth/ingest/entrypoint.yml‎
Lines changed: 9 additions & 0 deletions
@@ -323,6 +323,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Make ETW input GA. {pull}41389[41389]
 - Added input metrics to GCS input. {issue}36640[36640] {pull}41505[41505]
 - Add support for Okta entity analytics provider to collect role and factor data for users. {pull}41460[41460]
+- Add support for Journald in the System module. {pull}41555[41555]
 - Add ability to remove request trace logs from http_endpoint input. {pull}40005[40005]
 - Add ability to remove request trace logs from entityanalytics input. {pull}40004[40004]
 
 
@@ -0,0 +1,4 @@
+*`var.use_journald`*::
+
+A boolean that when set to `true` will read logs from Journald. When
+Journald is used all events contain the tag `journald`.
@@ -64,11 +64,13 @@ include::../include/config-option-intro.asciidoc[]
 ==== `syslog` fileset settings
 
 include::../include/var-paths.asciidoc[]
+include::../include/use-journald.asciidoc[]
 
 [float]
 ==== `auth` fileset settings
 
 include::../include/var-paths.asciidoc[]
+include::../include/use-journald.asciidoc[]
 
 *`var.tags`*::
 
 
@@ -21,6 +21,9 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Use journald to collect system logs
+    #var.use_journald: false
+
     # Input configuration (advanced). Any input configuration option
     # can be added under this section.
     #input:
@@ -33,6 +36,9 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Use journald to collect auth logs
+    #var.use_journald: false
+
     # Input configuration (advanced). Any input configuration option
     # can be added under this section.
     #input:
 
@@ -0,0 +1,14 @@
+# Journald tests (Debian 12)
+The tests for the journald input (currently only used for Debian 12
+testing) require journal files (test files ending in `.journal`), those
+files are generated using `systemd-journal-remote` (see the [Journald
+input README.md](../../input/journald/README.md) for more details).
+
+The source for those journal files are the `.export` files in the test
+folder. Those files are the raw output of `journalctl -o export`. They
+are added here because journal files format change with different
+versions of journald, which can cause `journalclt` to fail reading
+them, which leads to test failures. So if tests start failing because
+`journalctl` cannot read the journal files as expected, new ones can
+easily be generated with the same version of journalctl used on CI
+and the original dataset.
@@ -7,6 +7,9 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Use journald to collect system logs
+    #var.use_journald: false
+
     # Input configuration (advanced). Any input configuration option
     # can be added under this section.
     #input:
@@ -19,6 +22,9 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Use journald to collect auth logs
+    #var.use_journald: false
+
     # Input configuration (advanced). Any input configuration option
     # can be added under this section.
     #input:
@@ -7,10 +7,16 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Use journald to collect system logs
+    #var.use_journald: false
+
   # Authorization logs
   auth:
     enabled: false
 
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Use journald to collect auth logs
+    #var.use_journald: false
@@ -57,11 +57,13 @@ include::../include/config-option-intro.asciidoc[]
 ==== `syslog` fileset settings
 
 include::../include/var-paths.asciidoc[]
+include::../include/use-journald.asciidoc[]
 
 [float]
 ==== `auth` fileset settings
 
 include::../include/var-paths.asciidoc[]
+include::../include/use-journald.asciidoc[]
 
 *`var.tags`*::
 
 
@@ -1,14 +1,22 @@
+{{ if .use_journald }}
+type: journald
+id: system-auth
+facilities:
+  - 4
+  - 10
+{{ else }}
 type: log
 paths:
 {{ range $i, $path := .paths }}
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
-
 multiline:
   pattern: "^\\s"
   match: after
+{{ end }}
 
+# Common configuration
 processors:
   - add_locale: ~
 
 
@@ -0,0 +1,9 @@
+description: Entrypoint Pipeline for system/auth Filebeat module
+processors:
+  - pipeline:
+      if: ctx?.input?.type == "journald"
+      name: '{< IngestPipeline "journald" >}'
+
+  - pipeline:
+      if: ctx?.input?.type == "log"
+      name: '{< IngestPipeline "files" >}'