elastic · belimawr · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
@@ -10941,11 +10941,11 @@ SOFTWARE
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/elastic-agent-libs
-Version: v0.26.2
+Version: v0.28.0
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.26.2/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.28.0/LICENSE:
 
                                  Apache License
                            Version 2.0, January 2004
@@ -28994,13 +28994,13 @@ Contents of probable licence file $GOMODCACHE/go.uber.org/[email protected]/LICENSE:
 
 --------------------------------------------------------------------------------
 Dependency : go.uber.org/zap
-Version: v1.27.0
+Version: v1.27.1
 Licence type (autodetected): MIT
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/go.uber.org/[email protected].0/LICENSE:
+Contents of probable licence file $GOMODCACHE/go.uber.org/[email protected].1/LICENSE:
 
-Copyright (c) 2016-2017 Uber Technologies, Inc.
+Copyright (c) 2016-2024 Uber Technologies, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/changelog/fragments/1765318668-Support-chroot-in-journald.yaml b/changelog/fragments/1765318668-Support-chroot-in-journald.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: The Journald input now supports setting a chroot to use when calling the journalctl binary
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: filebeat
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/beats/pull/48008
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/beats/issues/47164
@@ -15,16 +15,18 @@ The Wolfi-based Docker image does not contain the `journalctl` binary and the `j
 :::
 
 :::{important}
-When using the Journald input from a Docker container, make sure the
-`journalctl` binary in the container is compatible with your
-Systemd/journal version. To get the version of the `journalctl` binary
-in Filebeat's image run the following, adjusting the image name/tag
-according to the version that you are running:
-
-
-```sh
-docker run --rm -it --entrypoint "journalctl" docker.elastic.co/beats/filebeat-wolfi:<VERSION> --version
-```
+When using the Journald input from a Docker container, make sure that
+either:
+ - {applies_to}`stack: ga 9.3.0` [`chroot`](#filebeat-input-journald-chroot), [`journalct_path`](#filebeat-input-journald-journalctl-path) are set, or
+ - The `journalctl` binary in the container is compatible with your
+   Systemd/journal version. To get the version of the `journalctl` binary
+   in Filebeat's image run the following, adjusting the image name/tag
+   according to the version that you are running:
+
+
+   ```sh
+   docker run --rm -it --entrypoint "journalctl" docker.elastic.co/beats/filebeat-wolfi:<VERSION> --version
+   ```
 :::
 
 If the `journalctl` process exits unexpectedly the journald input will terminate with an error and Filebeat will need to be restarted to start reading from the journal again.
@@ -110,8 +112,24 @@ input will only ingest the journal files found when started. New
 files will not be ingested.
 :::
 
+### `chroot` [filebeat-input-journald-chroot]
+```{applies_to}
+stack: ga 9.3.0
+```
+A folder to be used as chroot when calling `journalctl`. This allows
+Filebeat to call the host's `journalctl` directly. If using this
+option, {{filebeat}} must be run as root and
+[`journalct_path`](#filebeat-input-journald-journalctl-path) must be
+set.
 
-
+### `journalct_path` [filebeat-input-journald-journalctl-path]
+```{applies_to}
+stack: ga 9.3.0
+```
+The absolute path for the `journalctl` binary. If not set {{filebeat}}
+will look for `journalctl` in `PATH`. When using
+[`chroot`](#filebeat-input-journald-chroot), `journalct_path` must be
+an absolute path from within the chroot directory.
 
 
 ### `merge` [filebeat-input-journald-merge]

@@ -817,6 +817,15 @@ filebeat.inputs:
   #paths:
     #- /var/log/custom.journal
 
+  # Specify a folder to be used as chroot when calling the journalct binary
+  #chroot:
+
+  # The absolute path for the `journalctl` binary. If not set Filebeat
+  # will look for `journalctl` in `PATH`. When using
+  # `chroot`, `journalct_path` must be
+  # an absolute path from within the chroot directory.
+  #journalctl_path:
+
   # When enabled, log entries will be ingested interleaved from all
   # available journals, including remote ones.
   #merge: false

@@ -1230,6 +1230,15 @@ filebeat.inputs:
   #paths:
     #- /var/log/custom.journal
 
+  # Specify a folder to be used as chroot when calling the journalct binary
+  #chroot:
+
+  # The absolute path for the `journalctl` binary. If not set Filebeat
+  # will look for `journalctl` in `PATH`. When using
+  # `chroot`, `journalct_path` must be
+  # an absolute path from within the chroot directory.
+  #journalctl_path:
+
   # When enabled, log entries will be ingested interleaved from all
   # available journals, including remote ones.
   #merge: false

@@ -15,6 +15,8 @@
 // specific language governing permissions and limitations
 // under the License.
 
+// This file was contributed to by generative AI
+
 //go:build linux
 
 package journald
@@ -76,6 +78,18 @@ type config struct {
 	// Allow ingesting log entries interleaved from all available journals,
 	// including remote ones.
 	Merge bool `config:"merge"`
+
+	// Chroot is the chroot folder used to call journalctl
+	Chroot string `config:"chroot"`
+
+	// JournalctlPath specifies the path to the `journalctl` binary.
+	// This field is required only if the Chroot option is set, as the
+	// input needs to locate the binary within the chroot environment.
+	// If Chroot is set, JournalctlPath must be an absolute path within
+	// the chroot environment. If JournalctlPath is not explicitly set,
+	// it defaults to `journalctl`, which assumes that the `journalctl`
+	// binary is available in the system's `PATH` environment variable.
+	JournalctlPath string `config:"journalctl_path"`
 }
 
 // bwcIncludeMatches is a wrapper that accepts include_matches configuration
@@ -107,5 +121,6 @@ func defaultConfig() config {
 	return config{
 		Seek:               journalctl.SeekHead,
 		SaveRemoteHostname: false,
+		JournalctlPath:     "journalctl",
 	}
 }
@@ -22,6 +22,8 @@
 import (
 	"errors"
 	"fmt"
+	"os"
+	"path/filepath"
 	"strconv"
 	"time"
 
@@ -57,8 +59,9 @@
 	Facilities         []int
 	SaveRemoteHostname bool
 	Parsers            parser.Config
-	Journalctl         bool
 	Merge              bool
+	Chroot             string
+	JournalctlPath     string
 }
 
 type checkpoint struct {
@@ -112,6 +115,21 @@
 		sources[i] = pathSource(p)
 	}
 
+	if config.Chroot != "" {
+		chrootStat, err := os.Stat(config.Chroot)
+		if err != nil {
+			return nil, nil, fmt.Errorf("cannot stat chroot:  %w", err)
+		}
+		if !chrootStat.IsDir() {
+			return nil, nil, fmt.Errorf("provided chroot (%s) is not a directory", config.Chroot)
+		}
+
+		fullPath := filepath.Join(config.Chroot, config.JournalctlPath)
+		if _, err := os.Stat(fullPath); err != nil {
+			return nil, nil, fmt.Errorf("cannot stat journalctl binary in chroot: %w", err)
+		}
+	}
+
 	return sources, &journald{
 		ID:                 config.ID,
 		Since:              config.Since,
@@ -124,6 +142,8 @@
 		SaveRemoteHostname: config.SaveRemoteHostname,
 		Parsers:            config.Parsers,
 		Merge:              config.Merge,
+		Chroot:             config.Chroot,
+		JournalctlPath:     config.JournalctlPath,
 	}, nil
 }
 
@@ -143,7 +163,7 @@
 		inp.Since,
 		src.Name(),
 		inp.Merge,
-		journalctl.Factory,
+		journalctl.NewFactory(inp.Chroot, inp.JournalctlPath),
 	)
 	if err != nil {
 		return err
@@ -179,7 +199,7 @@
 		inp.Since,
 		src.Name(),
 		inp.Merge,
-		journalctl.Factory,
+		journalctl.NewFactory(inp.Chroot, inp.JournalctlPath),
 	)
 	if err != nil {
 		wrappedErr := fmt.Errorf("could not start journal reader: %w", err)
@@ -347,7 +367,7 @@
 	}

 	m := reader.Message{
 		Ts:      time.UnixMicro(int64(data.RealtimeTimestamp)),
 		Content: content,
 		Bytes:   len(content),
 		Fields:  fields,