From eb5332a7e466b7fcfb1c7f22ddc375da18ef43a2 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Thu, 17 Apr 2025 18:43:04 -0400 Subject: [PATCH 01/11] Document Journald on docker --- packages/iptables/changelog.yml | 5 +++++ packages/iptables/docs/README.md | 8 ++++++++ packages/iptables/manifest.yml | 2 +- packages/journald/changelog.yml | 5 +++++ packages/journald/docs/README.md | 8 ++++++++ packages/journald/manifest.yml | 2 +- packages/system/changelog.yml | 5 +++++ packages/system/docs/README.md | 8 ++++++++ packages/system/manifest.yml | 2 +- 9 files changed, 42 insertions(+), 3 deletions(-) diff --git a/packages/iptables/changelog.yml b/packages/iptables/changelog.yml index 1623ca9f308..6f6650b5ad0 100644 --- a/packages/iptables/changelog.yml +++ b/packages/iptables/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.1" + changes: + - description: Update documentation to mention the requirements for reading Journald logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/13597 - version: "1.20.0" changes: - description: Support stack version 9.0. diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md index 24e2380de49..35b012ca5d3 100644 --- a/packages/iptables/docs/README.md +++ b/packages/iptables/docs/README.md @@ -9,6 +9,14 @@ traffic (allow/deny). The module is by default configured to run with the `udp` input on port `9001`. However, it can also be configured to read from a file path or journald. +To read Journald logs from within a container, you need to use the +[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) +Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +impossible to read files generated by a newer versions of +Journald. Ensure the jounral files you are reading were generated by +a version equal or older than the `journalctl` shipped with the Docker +image. + ## Logs ### Iptables log diff --git a/packages/iptables/manifest.yml b/packages/iptables/manifest.yml index 315960f8812..28d38c23494 100644 --- a/packages/iptables/manifest.yml +++ b/packages/iptables/manifest.yml @@ -1,6 +1,6 @@ name: iptables title: Iptables -version: "1.20.0" +version: "1.20.1" description: Collect logs from Iptables with Elastic Agent. type: integration icons: diff --git a/packages/journald/changelog.yml b/packages/journald/changelog.yml index ab17ab03f7a..180a7358735 100644 --- a/packages/journald/changelog.yml +++ b/packages/journald/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.3" + changes: + - description: Update documentation to mention the requirements for reading Journald logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/13597 - version: "1.1.2" changes: - description: Update Kibana requirement to support 9.x. diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md index 09ab19d5979..3e48545be09 100644 --- a/packages/journald/docs/README.md +++ b/packages/journald/docs/README.md @@ -5,6 +5,14 @@ The journald input reads the log data and the metadata associated with it. The journald input is available on Linux systems with `systemd` installed. +To read Journald logs from within a container, you need to use the +[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) +Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +impossible to read files generated by a newer versions of +Journald. Ensure the jounral files you are reading were generated by +a version equal or older than the `journalctl` shipped with the Docker +image.x + An example event looks as follows: ```json diff --git a/packages/journald/manifest.yml b/packages/journald/manifest.yml index b9ead830820..1e9eec59f61 100644 --- a/packages/journald/manifest.yml +++ b/packages/journald/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.0 name: journald title: "Custom Journald logs" -version: 1.1.2 +version: 1.1.3 description: Collect logs from journald with Elastic Agent. type: input categories: diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 2b5f814d4f2..5b6b06870c6 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.68.2" + changes: + - description: Update documentation to mention the requirements for reading Journald logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/13597 - version: "1.68.1" changes: - description: Change security pipeline to be defensive against different data types. diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index fc6c2657128..3327e61212f 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -38,6 +38,14 @@ Each data stream collects different kinds of metric data, which may require dedi to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). +To read Journald logs from within a container, you need to use the +[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) +Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +impossible to read files generated by a newer versions of +Journald. Ensure the jounral files you are reading were generated by +a version equal or older than the `journalctl` shipped with the Docker +image. + ## Setup For step-by-step instructions on how to set up an integration, see the diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index f6fbf53dfd2..8711bd30721 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: system title: System -version: "1.68.1" +version: "1.68.2" description: Collect system logs and metrics from your servers with Elastic Agent. type: integration categories: From e16a3ace74033d6524ce4a346cc868cc89672a7a Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 18 Apr 2025 09:35:37 -0400 Subject: [PATCH 02/11] Update the correct files --- packages/iptables/_dev/build/docs/README.md | 8 ++++++++ packages/journald/docs/README.md | 2 +- packages/system/_dev/build/docs/README.md | 8 ++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md index 1eb03eafcb0..6d6c06a26c6 100644 --- a/packages/iptables/_dev/build/docs/README.md +++ b/packages/iptables/_dev/build/docs/README.md @@ -9,6 +9,14 @@ traffic (allow/deny). The module is by default configured to run with the `udp` input on port `9001`. However, it can also be configured to read from a file path or journald. +To read Journald logs from within a container, you need to use the +[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) +Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +impossible to read files generated by a newer versions of +Journald. Ensure the jounral files you are reading were generated by +a version equal or older than the `journalctl` shipped with the Docker +image. + ## Logs ### Iptables log diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md index 3e48545be09..3789fce9a05 100644 --- a/packages/journald/docs/README.md +++ b/packages/journald/docs/README.md @@ -11,7 +11,7 @@ Docker image that contains the `jouranlctl` binary. Journal files can have break impossible to read files generated by a newer versions of Journald. Ensure the jounral files you are reading were generated by a version equal or older than the `journalctl` shipped with the Docker -image.x +image. An example event looks as follows: diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md index 42d1fc8f82a..99915ab973e 100644 --- a/packages/system/_dev/build/docs/README.md +++ b/packages/system/_dev/build/docs/README.md @@ -38,6 +38,14 @@ Each data stream collects different kinds of metric data, which may require dedi to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). +To read Journald logs from within a container, you need to use the +[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) +Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +impossible to read files generated by a newer versions of +Journald. Ensure the jounral files you are reading were generated by +a version equal or older than the `journalctl` shipped with the Docker +image. + ## Setup For step-by-step instructions on how to set up an integration, see the From a55be0c0a3463e03b823749328da3b06179e3d15 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 25 Apr 2025 10:35:28 -0400 Subject: [PATCH 03/11] Fix typos --- packages/iptables/_dev/build/docs/README.md | 6 +++--- packages/iptables/docs/README.md | 6 +++--- packages/journald/docs/README.md | 6 +++--- packages/system/_dev/build/docs/README.md | 6 +++--- packages/system/docs/README.md | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md index 6d6c06a26c6..b1143f8cb25 100644 --- a/packages/iptables/_dev/build/docs/README.md +++ b/packages/iptables/_dev/build/docs/README.md @@ -11,10 +11,10 @@ However, it can also be configured to read from a file path or journald. To read Journald logs from within a container, you need to use the [`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it impossible to read files generated by a newer versions of -Journald. Ensure the jounral files you are reading were generated by -a version equal or older than the `journalctl` shipped with the Docker +Journald. Ensure the journal files you are reading were generated by +a version equal to or older than the `journalctl` shipped with the Docker image. ## Logs diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md index 35b012ca5d3..fba05cf9318 100644 --- a/packages/iptables/docs/README.md +++ b/packages/iptables/docs/README.md @@ -11,10 +11,10 @@ However, it can also be configured to read from a file path or journald. To read Journald logs from within a container, you need to use the [`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it impossible to read files generated by a newer versions of -Journald. Ensure the jounral files you are reading were generated by -a version equal or older than the `journalctl` shipped with the Docker +Journald. Ensure the journal files you are reading were generated by +a version equal to or older than the `journalctl` shipped with the Docker image. ## Logs diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md index 3789fce9a05..025a72f18b9 100644 --- a/packages/journald/docs/README.md +++ b/packages/journald/docs/README.md @@ -7,10 +7,10 @@ The journald input is available on Linux systems with `systemd` installed. To read Journald logs from within a container, you need to use the [`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it impossible to read files generated by a newer versions of -Journald. Ensure the jounral files you are reading were generated by -a version equal or older than the `journalctl` shipped with the Docker +Journald. Ensure the journal files you are reading were generated by +a version equal to or older than the `journalctl` shipped with the Docker image. An example event looks as follows: diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md index 99915ab973e..376d9b55b57 100644 --- a/packages/system/_dev/build/docs/README.md +++ b/packages/system/_dev/build/docs/README.md @@ -40,10 +40,10 @@ Details on the permissions needed for each data stream are available in the [Met To read Journald logs from within a container, you need to use the [`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it impossible to read files generated by a newer versions of -Journald. Ensure the jounral files you are reading were generated by -a version equal or older than the `journalctl` shipped with the Docker +Journald. Ensure the journal files you are reading were generated by +a version equal to or older than the `journalctl` shipped with the Docker image. ## Setup diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 3327e61212f..299d8387d5c 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -40,10 +40,10 @@ Details on the permissions needed for each data stream are available in the [Met To read Journald logs from within a container, you need to use the [`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `jouranlctl` binary. Journal files can have breaking changes making it +Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it impossible to read files generated by a newer versions of -Journald. Ensure the jounral files you are reading were generated by -a version equal or older than the `journalctl` shipped with the Docker +Journald. Ensure the journal files you are reading were generated by +a version equal to or older than the `journalctl` shipped with the Docker image. ## Setup From 73e476d1bec070269b68d12ad9da25ee1691e42e Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 23 May 2025 10:52:44 -0400 Subject: [PATCH 04/11] Update Docker image variants shipping journalctl --- packages/iptables/_dev/build/docs/README.md | 17 ++++++++++++++--- packages/iptables/docs/README.md | 18 +++++++++++++++--- packages/journald/docs/README.md | 17 ++++++++++++++--- packages/system/_dev/build/docs/README.md | 17 ++++++++++++++--- packages/system/docs/README.md | 17 ++++++++++++++--- 5 files changed, 71 insertions(+), 15 deletions(-) diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md index b1143f8cb25..ab5dd1f6e43 100644 --- a/packages/iptables/_dev/build/docs/README.md +++ b/packages/iptables/_dev/build/docs/README.md @@ -9,14 +9,25 @@ traffic (allow/deny). The module is by default configured to run with the `udp` input on port `9001`. However, it can also be configured to read from a file path or journald. -To read Journald logs from within a container, you need to use the -[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it +To read Journald logs from within a container, you need to use a +Docker image variant that contains `journalctl` binary. The variants +supporting Journald are: +- `elastic-agent-complete` +- `elastic-agent-ubi` +- `elastic-agent` + +Journal files can have breaking changes making it impossible to read files generated by a newer versions of Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. +To check the version of `journalctl` shipped with an Elastic-Agent +Docker image, run the following command: +``` +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +``` + ## Logs ### Iptables log diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md index fba05cf9318..a572aa0423b 100644 --- a/packages/iptables/docs/README.md +++ b/packages/iptables/docs/README.md @@ -9,14 +9,26 @@ traffic (allow/deny). The module is by default configured to run with the `udp` input on port `9001`. However, it can also be configured to read from a file path or journald. -To read Journald logs from within a container, you need to use the -[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it +To read Journald logs from within a container, you need to use a +Docker image variant that contains `journalctl` binary. The variants +supporting Journald are: +- `elastic-agent-complete` +- `elastic-agent-ubi` +- `elastic-agent` +- `elastic-otel-collector` + +Journal files can have breaking changes making it impossible to read files generated by a newer versions of Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. +To check the version of `journalctl` shipped with an Elastic-Agent +Docker image, run the following command: +``` +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +``` + ## Logs ### Iptables log diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md index 025a72f18b9..f62cfc1d461 100644 --- a/packages/journald/docs/README.md +++ b/packages/journald/docs/README.md @@ -5,14 +5,25 @@ The journald input reads the log data and the metadata associated with it. The journald input is available on Linux systems with `systemd` installed. -To read Journald logs from within a container, you need to use the -[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it +To read Journald logs from within a container, you need to use a +Docker image variant that contains `journalctl` binary. The variants +supporting Journald are: +- `elastic-agent-complete` +- `elastic-agent-ubi` +- `elastic-agent` + +Journal files can have breaking changes making it impossible to read files generated by a newer versions of Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. +To check the version of `journalctl` shipped with an Elastic-Agent +Docker image, run the following command: +``` +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +``` + An example event looks as follows: ```json diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md index 376d9b55b57..3ea1c695e58 100644 --- a/packages/system/_dev/build/docs/README.md +++ b/packages/system/_dev/build/docs/README.md @@ -38,14 +38,25 @@ Each data stream collects different kinds of metric data, which may require dedi to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). -To read Journald logs from within a container, you need to use the -[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it +To read Journald logs from within a container, you need to use a +Docker image variant that contains `journalctl` binary. The variants +supporting Journald are: +- `elastic-agent-complete` +- `elastic-agent-ubi` +- `elastic-agent` + +Journal files can have breaking changes making it impossible to read files generated by a newer versions of Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. +To check the version of `journalctl` shipped with an Elastic-Agent +Docker image, run the following command: +``` +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +``` + ## Setup For step-by-step instructions on how to set up an integration, see the diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 299d8387d5c..60940e4f192 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -38,14 +38,25 @@ Each data stream collects different kinds of metric data, which may require dedi to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). -To read Journald logs from within a container, you need to use the -[`elastic-agent-complete`](https://www.elastic.co/docs/reference/fleet/install-elastic-agents#elastic-agent-complete-flavor) -Docker image that contains the `journalctl` binary. Journal files can have breaking changes making it +To read Journald logs from within a container, you need to use a +Docker image variant that contains `journalctl` binary. The variants +supporting Journald are: +- `elastic-agent-complete` +- `elastic-agent-ubi` +- `elastic-agent` + +Journal files can have breaking changes making it impossible to read files generated by a newer versions of Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. +To check the version of `journalctl` shipped with an Elastic-Agent +Docker image, run the following command: +``` +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +``` + ## Setup For step-by-step instructions on how to set up an integration, see the From da887b35d019faec384e454944ae6044e16d2dea Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Wed, 11 Jun 2025 09:43:05 -0400 Subject: [PATCH 05/11] [filestream] add warning about only ingesting files >= 1024 bytes --- packages/filestream/_dev/build/docs/README.md | 7 +++++++ packages/filestream/changelog.yml | 5 +++++ packages/filestream/docs/README.md | 7 +++++++ packages/filestream/manifest.yml | 2 +- 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/packages/filestream/_dev/build/docs/README.md b/packages/filestream/_dev/build/docs/README.md index d6c6f5c99b5..8aeb5267477 100644 --- a/packages/filestream/_dev/build/docs/README.md +++ b/packages/filestream/_dev/build/docs/README.md @@ -3,6 +3,13 @@ WARNING: Migrating from the "Custom Logs (Deprecated)" to "Custom Logs (Filestream)" will cause files to be re-ingested because the state is not migrated. +IMPORTANT: The Filestream integration will only start ingesting files +when they are 1024 bytes in size or larger. This can be adjusted by +setting "Fingerprint length", however it will influence how files are +identified. Refer to the +[fingerprint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-filestream#filebeat-input-filestream-file-identity-fingerprint) +documentation for more details. + In future releases it's expected to have an automated way to migrate the state. However, this is not possible at the moment. The current best option for minimizing the data duplication while migrating to "Custom Logs (Filestream)" is to use the 'Ignore Older' or 'Exclude Files' options. diff --git a/packages/filestream/changelog.yml b/packages/filestream/changelog.yml index ef1e35b7402..0cb3e25facc 100644 --- a/packages/filestream/changelog.yml +++ b/packages/filestream/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.4" + changes: + - description: Add warning about only ingesting files >= 1024 bytes + type: enhancement + link: https://github.com/elastic/integrations/pull/9999 - version: "1.1.3" changes: - description: Correct the readme diff --git a/packages/filestream/docs/README.md b/packages/filestream/docs/README.md index 30922eabca9..1ce9433426c 100644 --- a/packages/filestream/docs/README.md +++ b/packages/filestream/docs/README.md @@ -3,6 +3,13 @@ WARNING: Migrating from the "Custom Logs (Deprecated)" to "Custom Logs (Filestream)" will cause files to be re-ingested because the state is not migrated. +IMPORTANT: The Filestream integration will only start ingesting files +when they are 1024 bytes in size or larger. This can be adjusted by +setting "Fingerprint length", however it will influence how files are +identified. Refer to the +[fingerprint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-filestream#filebeat-input-filestream-file-identity-fingerprint) +documentation for more details. + In future releases it's expected to have an automated way to migrate the state. However, this is not possible at the moment. The current best option for minimizing the data duplication while migrating to "Custom Logs (Filestream)" is to use the 'Ignore Older' or 'Exclude Files' options. diff --git a/packages/filestream/manifest.yml b/packages/filestream/manifest.yml index fe7530c2f14..bf7bf9bc2ff 100644 --- a/packages/filestream/manifest.yml +++ b/packages/filestream/manifest.yml @@ -3,7 +3,7 @@ name: filestream title: Custom Logs (Filestream) description: Collect log data using filestream with Elastic Agent. type: integration -version: 1.1.3 +version: 1.1.4 conditions: kibana: version: "^8.15.0 || ^9.0.0" From d5a9ef882187e09702dff686376d837bedf6d1b7 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Thu, 26 Jun 2025 10:37:14 -0400 Subject: [PATCH 06/11] Fix changelog --- packages/filestream/changelog.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/filestream/changelog.yml b/packages/filestream/changelog.yml index cb5fe3528e3..bf2ba72e9aa 100644 --- a/packages/filestream/changelog.yml +++ b/packages/filestream/changelog.yml @@ -1,9 +1,9 @@ # newer versions go on top - version: "1.1.6" changes: - - description: Add warning about only ingesting files >= 1024 bytes + - description: Update documentation to mention the requirements for reading Journald logs. type: enhancement - link: https://github.com/elastic/integrations/pull/9999 + link: https://github.com/elastic/integrations/pull/13597 - version: "1.1.5" changes: - description: Fix file identity options not getting applied correctly From 92b92e2c3b9865986dc93f7e810e41180f90b872 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Thu, 26 Jun 2025 10:38:51 -0400 Subject: [PATCH 07/11] Fix merge conflict --- packages/filestream/changelog.yml | 5 ----- packages/filestream/manifest.yml | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/packages/filestream/changelog.yml b/packages/filestream/changelog.yml index bf2ba72e9aa..572265f8fb1 100644 --- a/packages/filestream/changelog.yml +++ b/packages/filestream/changelog.yml @@ -1,9 +1,4 @@ # newer versions go on top -- version: "1.1.6" - changes: - - description: Update documentation to mention the requirements for reading Journald logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/13597 - version: "1.1.5" changes: - description: Fix file identity options not getting applied correctly diff --git a/packages/filestream/manifest.yml b/packages/filestream/manifest.yml index abb3fd211cf..e3b1c532f3d 100644 --- a/packages/filestream/manifest.yml +++ b/packages/filestream/manifest.yml @@ -3,7 +3,7 @@ name: filestream title: Custom Logs (Filestream) description: Collect log data using filestream with Elastic Agent. type: integration -version: 1.1.6 +version: 1.1.5 conditions: kibana: version: "^8.15.0 || ^9.0.0" From e61f5da38c51d98d7da18694d6026ab5c0790c60 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Thu, 26 Jun 2025 10:44:57 -0400 Subject: [PATCH 08/11] Update images list --- packages/iptables/_dev/build/docs/README.md | 7 ++----- packages/iptables/docs/README.md | 8 ++------ packages/journald/docs/README.md | 7 ++----- packages/system/_dev/build/docs/README.md | 7 ++----- packages/system/docs/README.md | 7 ++----- 5 files changed, 10 insertions(+), 26 deletions(-) diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md index ab5dd1f6e43..4986888aab5 100644 --- a/packages/iptables/_dev/build/docs/README.md +++ b/packages/iptables/_dev/build/docs/README.md @@ -10,11 +10,8 @@ The module is by default configured to run with the `udp` input on port `9001`. However, it can also be configured to read from a file path or journald. To read Journald logs from within a container, you need to use a -Docker image variant that contains `journalctl` binary. The variants -supporting Journald are: -- `elastic-agent-complete` -- `elastic-agent-ubi` -- `elastic-agent` +Docker image variant that contains `journalctl` binary. The variant +supporting Journald is `elastic-agent-complete`. Journal files can have breaking changes making it impossible to read files generated by a newer versions of diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md index a572aa0423b..d3a652aea0c 100644 --- a/packages/iptables/docs/README.md +++ b/packages/iptables/docs/README.md @@ -10,12 +10,8 @@ The module is by default configured to run with the `udp` input on port `9001`. However, it can also be configured to read from a file path or journald. To read Journald logs from within a container, you need to use a -Docker image variant that contains `journalctl` binary. The variants -supporting Journald are: -- `elastic-agent-complete` -- `elastic-agent-ubi` -- `elastic-agent` -- `elastic-otel-collector` +Docker image variant that contains `journalctl` binary. The variant +supporting Journald is `elastic-agent-complete`. Journal files can have breaking changes making it impossible to read files generated by a newer versions of diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md index f62cfc1d461..d81d8c6c649 100644 --- a/packages/journald/docs/README.md +++ b/packages/journald/docs/README.md @@ -6,11 +6,8 @@ The journald input reads the log data and the metadata associated with it. The journald input is available on Linux systems with `systemd` installed. To read Journald logs from within a container, you need to use a -Docker image variant that contains `journalctl` binary. The variants -supporting Journald are: -- `elastic-agent-complete` -- `elastic-agent-ubi` -- `elastic-agent` +Docker image variant that contains `journalctl` binary. The variant +supporting Journald is `elastic-agent-complete`. Journal files can have breaking changes making it impossible to read files generated by a newer versions of diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md index 3ea1c695e58..1f5b3a63b6b 100644 --- a/packages/system/_dev/build/docs/README.md +++ b/packages/system/_dev/build/docs/README.md @@ -39,11 +39,8 @@ to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). To read Journald logs from within a container, you need to use a -Docker image variant that contains `journalctl` binary. The variants -supporting Journald are: -- `elastic-agent-complete` -- `elastic-agent-ubi` -- `elastic-agent` +Docker image variant that contains `journalctl` binary. The variant +supporting Journald is `elastic-agent-complete`. Journal files can have breaking changes making it impossible to read files generated by a newer versions of diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 60940e4f192..61c3de35f88 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -39,11 +39,8 @@ to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). To read Journald logs from within a container, you need to use a -Docker image variant that contains `journalctl` binary. The variants -supporting Journald are: -- `elastic-agent-complete` -- `elastic-agent-ubi` -- `elastic-agent` +Docker image variant that contains `journalctl` binary. The variant +supporting Journald is `elastic-agent-complete`. Journal files can have breaking changes making it impossible to read files generated by a newer versions of From e896a72786606ce50e99d2e5d676cff4828de3a0 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Thu, 26 Jun 2025 10:49:09 -0400 Subject: [PATCH 09/11] Update docker command --- packages/iptables/_dev/build/docs/README.md | 2 +- packages/iptables/docs/README.md | 2 +- packages/journald/docs/README.md | 2 +- packages/system/_dev/build/docs/README.md | 2 +- packages/system/docs/README.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md index 4986888aab5..b07e8bceb77 100644 --- a/packages/iptables/_dev/build/docs/README.md +++ b/packages/iptables/_dev/build/docs/README.md @@ -22,7 +22,7 @@ image. To check the version of `journalctl` shipped with an Elastic-Agent Docker image, run the following command: ``` -docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version ``` ## Logs diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md index d3a652aea0c..fa925842e95 100644 --- a/packages/iptables/docs/README.md +++ b/packages/iptables/docs/README.md @@ -22,7 +22,7 @@ image. To check the version of `journalctl` shipped with an Elastic-Agent Docker image, run the following command: ``` -docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version ``` ## Logs diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md index d81d8c6c649..063c29bf3d0 100644 --- a/packages/journald/docs/README.md +++ b/packages/journald/docs/README.md @@ -18,7 +18,7 @@ image. To check the version of `journalctl` shipped with an Elastic-Agent Docker image, run the following command: ``` -docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version ``` An example event looks as follows: diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md index 1f5b3a63b6b..dda0695817c 100644 --- a/packages/system/_dev/build/docs/README.md +++ b/packages/system/_dev/build/docs/README.md @@ -51,7 +51,7 @@ image. To check the version of `journalctl` shipped with an Elastic-Agent Docker image, run the following command: ``` -docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version ``` ## Setup diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 61c3de35f88..d2d0ec50f84 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -51,7 +51,7 @@ image. To check the version of `journalctl` shipped with an Elastic-Agent Docker image, run the following command: ``` -docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent: --version +docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version ``` ## Setup From 8462e24117cd57cb69cf1c1ad1be34cf5ef379f2 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 27 Jun 2025 11:04:31 -0400 Subject: [PATCH 10/11] Update packages/iptables/_dev/build/docs/README.md Co-authored-by: Colleen McGinnis --- packages/iptables/_dev/build/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md index b07e8bceb77..25f496698a5 100644 --- a/packages/iptables/_dev/build/docs/README.md +++ b/packages/iptables/_dev/build/docs/README.md @@ -19,7 +19,7 @@ Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. -To check the version of `journalctl` shipped with an Elastic-Agent +To check the version of `journalctl` shipped with an Elastic Agent Docker image, run the following command: ``` docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version From 7880e5f95f0bf173913922bc7b0bf783543eb943 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 27 Jun 2025 12:13:41 -0400 Subject: [PATCH 11/11] Generate docs --- packages/iptables/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md index fa925842e95..42bcaffdbb4 100644 --- a/packages/iptables/docs/README.md +++ b/packages/iptables/docs/README.md @@ -19,7 +19,7 @@ Journald. Ensure the journal files you are reading were generated by a version equal to or older than the `journalctl` shipped with the Docker image. -To check the version of `journalctl` shipped with an Elastic-Agent +To check the version of `journalctl` shipped with an Elastic Agent Docker image, run the following command: ``` docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete: --version