Document Journald on docker (#13597)

belimawr · colleenmcginnis · web-flow · commit 58e71916f733 · 2025-06-27T16:41:51.000-04:00
---------

Co-authored-by: Colleen McGinnis &lt;colleen.j.mcginnis@gmail.com&gt;
diff --git a/packages/iptables/_dev/build/docs/README.md b/packages/iptables/_dev/build/docs/README.md
@@ -9,6 +9,22 @@ traffic (allow/deny).
 The module is by default configured to run with the `udp` input on port `9001`.
 However, it can also be configured to read from a file path or journald.
 
+To read Journald logs from within a container, you need to use a
+Docker image variant that contains `journalctl` binary. The variant
+supporting Journald is `elastic-agent-complete`.
+
+Journal files can have breaking changes making it
+impossible to read files generated by a newer versions of
+Journald. Ensure the journal files you are reading were generated by
+a version equal to or older than the `journalctl` shipped with the Docker
+image.
+
+To check the version of `journalctl` shipped with an Elastic Agent
+Docker image, run the following command:
+```
+docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete:<VERSION>  --version
+```
+
 ## Logs
 
 ### Iptables log
diff --git a/packages/iptables/changelog.yml b/packages/iptables/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.21.1"
+  changes:
+    - description: Update documentation to mention the requirements for reading Journald logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13597
 - version: "1.21.0"
   changes:
     - description: Allow @custom pipeline access to event.original without setting preserve_original_event.
diff --git a/packages/iptables/docs/README.md b/packages/iptables/docs/README.md
@@ -9,6 +9,22 @@ traffic (allow/deny).
 The module is by default configured to run with the `udp` input on port `9001`.
 However, it can also be configured to read from a file path or journald.
 
+To read Journald logs from within a container, you need to use a
+Docker image variant that contains `journalctl` binary. The variant
+supporting Journald is `elastic-agent-complete`.
+
+Journal files can have breaking changes making it
+impossible to read files generated by a newer versions of
+Journald. Ensure the journal files you are reading were generated by
+a version equal to or older than the `journalctl` shipped with the Docker
+image.
+
+To check the version of `journalctl` shipped with an Elastic Agent
+Docker image, run the following command:
+```
+docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete:<VERSION>  --version
+```
+
 ## Logs
 
 ### Iptables log
diff --git a/packages/iptables/manifest.yml b/packages/iptables/manifest.yml
@@ -1,6 +1,6 @@
 name: iptables
 title: Iptables
-version: "1.21.0"
+version: "1.21.1"
 description: Collect logs from Iptables with Elastic Agent.
 type: integration
 icons:
diff --git a/packages/journald/changelog.yml b/packages/journald/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.1"
+  changes:
+    - description: Update documentation to mention the requirements for reading Journald logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13597
 - version: "1.2.0"
   changes:
     - description: Add support for defining Conditions
diff --git a/packages/journald/docs/README.md b/packages/journald/docs/README.md
@@ -5,6 +5,22 @@ The journald input reads the log data and the metadata associated with it.
 
 The journald input is available on Linux systems with `systemd` installed.
 
+To read Journald logs from within a container, you need to use a
+Docker image variant that contains `journalctl` binary. The variant
+supporting Journald is `elastic-agent-complete`.
+
+Journal files can have breaking changes making it
+impossible to read files generated by a newer versions of
+Journald. Ensure the journal files you are reading were generated by
+a version equal to or older than the `journalctl` shipped with the Docker
+image.
+
+To check the version of `journalctl` shipped with an Elastic-Agent
+Docker image, run the following command:
+```
+docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete:<VERSION>  --version
+```
+
 An example event looks as follows:
 
 ```json
diff --git a/packages/journald/manifest.yml b/packages/journald/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.3.0
 name: journald
 title: "Custom Journald logs"
-version: 1.2.0
+version: 1.2.1
 description: Collect logs from journald with Elastic Agent.
 type: input
 categories:
diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md
@@ -38,6 +38,22 @@ Each data stream collects different kinds of metric data, which may require dedi
 to be fetched and which may vary across operating systems.
 Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference).
 
+To read Journald logs from within a container, you need to use a
+Docker image variant that contains `journalctl` binary. The variant
+supporting Journald is `elastic-agent-complete`.
+
+Journal files can have breaking changes making it
+impossible to read files generated by a newer versions of
+Journald. Ensure the journal files you are reading were generated by
+a version equal to or older than the `journalctl` shipped with the Docker
+image.
+
+To check the version of `journalctl` shipped with an Elastic-Agent
+Docker image, run the following command:
+```
+docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete:<VERSION>  --version
+```
+
 ## Setup
 
 For step-by-step instructions on how to set up an integration, see the
diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.2"
+  changes:
+    - description: Update documentation to mention the requirements for reading Journald logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13597
 - version: "2.3.1"
   changes:
     - description: Change default to use journald input for SLES 15 SP6.
diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md
@@ -38,6 +38,22 @@ Each data stream collects different kinds of metric data, which may require dedi
 to be fetched and which may vary across operating systems.
 Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference).
 
+To read Journald logs from within a container, you need to use a
+Docker image variant that contains `journalctl` binary. The variant
+supporting Journald is `elastic-agent-complete`.
+
+Journal files can have breaking changes making it
+impossible to read files generated by a newer versions of
+Journald. Ensure the journal files you are reading were generated by
+a version equal to or older than the `journalctl` shipped with the Docker
+image.
+
+To check the version of `journalctl` shipped with an Elastic-Agent
+Docker image, run the following command:
+```
+docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete:<VERSION>  --version
+```
+
 ## Setup
 
 For step-by-step instructions on how to set up an integration, see the
diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "2.3.1"
+version: "2.3.2"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories:
