How to configure a Filebeat journald input

Collecting journald with Filebeat keeps service and kernel messages searchable even when applications never write flat log files. A dedicated journal input is useful on hosts where systemd owns the primary log path and operational checks need one pipeline for both service metadata and message text.

The journald input reads the local system journal by calling journalctl, then turns each matching entry into a Filebeat event. Current Filebeat releases keep a per-input cursor in the registry, so the same stable id lets restarts resume from the saved position instead of re-reading the journal from scratch.

Journal access still depends on the runtime environment. The filebeat service usually needs root or membership in the systemd-journal group to read the journal, a saved cursor causes seek to be ignored until the input id changes, and containerized Filebeat deployments need a compatible journalctl binary because the Wolfi image does not include one.

Related: How to configure Filebeat inputs

Steps to configure a Filebeat journald input:

  1. Create a backup copy of the current Filebeat configuration. 
    $ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
  2. Open the Filebeat configuration file for editing. 
    $ sudoedit /etc/filebeat/filebeat.yml
  3. Add a journald input with a stable id and a filter that limits collection to the intended service. 
    filebeat.inputs:
  - type: journald
    id: systemd-journal
    seek: since
    since: -24h
    include_matches:
      match:
        - _SYSTEMD_UNIT=sshd.service

    Leave paths unset to read the default local journal. Add paths: only when Filebeat must read a specific journal file or directory such as /var/log/journal. include_matches is evaluated by journalctl before events reach Filebeat, so it is more efficient than collecting everything and dropping events later.

    Each journald input needs a unique, stable id. If the id changes, Filebeat treats the input as new and starts with a fresh cursor. If the filebeat service cannot read the journal, add the service account to the systemd-journal group or run Filebeat with equivalent permissions.

  4. Inspect a recent journal entry when the match field or unit name is uncertain. 
    $ sudo journalctl -o json -n 1 --no-pager
{"_SYSTEMD_UNIT":"sshd.service","MESSAGE":"Server listening on 0.0.0.0 port 22.","PRIORITY":"6","SYSLOG_IDENTIFIER":"sshd"}

    Current Filebeat documentation recommends using journalctl -o json to discover available journal fields for include_matches filters. Replace _SYSTEMD_UNIT=sshd.service with the field or value that matches the intended logs.

  5. Test the Filebeat configuration before restarting the service. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  6. Export the resolved configuration and confirm the journald input is active. 
    $ sudo filebeat export config -c /etc/filebeat/filebeat.yml | sed -n '1,20p'
filebeat:
  inputs:
  - id: systemd-journal
    include_matches:
      match:
      - _SYSTEMD_UNIT=sshd.service
    seek: since
    since: -24h
    type: journald
##### snipped #####

    This is a quick way to catch indentation mistakes or confirm the expected input is still present after combining /etc/filebeat/filebeat.yml with other loaded config snippets.

  7. Restart the Filebeat service to apply the updated input configuration. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  8. Check that the Filebeat service returned to an active state. 
    $ sudo systemctl status filebeat --no-pager --lines=20
● filebeat.service - Filebeat sends log files to Logstash or Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-04-02 11:54:19 UTC; 6s ago
   Main PID: 4821 (filebeat)
##### snipped #####

    Related: How to manage the Filebeat service with systemctl in Linux

  9. Review recent Filebeat logs for the journald startup messages and the generated journalctl command. 
    $ sudo journalctl -u filebeat.service -n 50 --no-pager -o cat | grep -E "Input 'journald' starting|Journalctl command|journalctl started"
{"log.level":"info","@timestamp":"2026-04-02T11:47:28.925Z","log.logger":"input.journald","message":"Input 'journald' starting","service.name":"filebeat","id":"systemd-journal","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2026-04-02T11:47:28.930Z","log.logger":"input.journald.reader.journalctl-runner","message":"Journalctl command. Paths relative to chroot (if set)","service.name":"filebeat","id":"systemd-journal","input_source":"LOCAL_SYSTEM_JOURNAL","path":"LOCAL_SYSTEM_JOURNAL","input_id":"systemd-journal","process.command_line":"journalctl --utc --output=json --no-pager --all --follow _SYSTEMD_UNIT=sshd.service --since 2026-04-01 11:47:28.929642043 --boot all","process.chroot":"","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2026-04-02T11:47:28.932Z","log.logger":"input.journald.reader.journalctl-runner","message":"journalctl started","service.name":"filebeat","id":"systemd-journal","input_source":"LOCAL_SYSTEM_JOURNAL","path":"LOCAL_SYSTEM_JOURNAL","input_id":"systemd-journal","process.pid":30,"ecs.version":"1.6.0"}

    If Filebeat is configured to log to files instead of journald, inspect /var/log/filebeat/ for the same messages. On containerized deployments, a missing or incompatible journalctl binary usually fails here first.