How to configure a Filebeat journald input

Shipping systemd journal entries with Filebeat keeps service logs searchable and consistent across hosts, even when applications write only to journald instead of flat files. Centralized journal events simplify troubleshooting, alerting, and auditing by keeping messages and metadata in one pipeline.

The journald input reads records from the binary system journal and converts each entry into a Filebeat event. Filebeat stores the last processed journal cursor in its registry, allowing restarts to resume from the correct position instead of replaying older logs.

Journal access depends on where systemd-journald stores data: persistent journals are typically under /var/log/journal, while volatile journals live under /run/log/journal and can disappear after reboot. Running Filebeat as a non-root service account may require membership in the systemd-journal group (or equivalent permissions), and changing the input id creates a new cursor state that can cause duplicate ingestion.

Steps to configure a Filebeat journald input:

Open the Filebeat configuration file.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Add a journald input with a unique id.
```
filebeat.inputs:
  - type: journald
    id: systemd-journal
    seek: head
```
Keep a single filebeat.inputs key. Append additional inputs as new list items. The id value namespaces the saved journal cursor, so keeping it stable helps prevent duplicate ingestion after restarts.

Permission errors in Filebeat logs typically indicate journal access issues. Grant read access by adding the service account to the systemd-journal group (for example sudo usermod --append --groups systemd-journal filebeat). Restart the service to apply new group membership.
Test the configuration for errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Review recent Filebeat logs for journal ingestion activity.

$ sudo journalctl --unit=filebeat --no-pager --lines=30
Jan 06 22:26:45 host filebeat[8921]: {"log.level":"info","@timestamp":"2026-01-06T22:26:45.503Z","log.logger":"input.journald.metric_registry","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewMetricsRegistry","file.name":"inputmon/input.go","file.line":182},"message":"registering","service.name":"filebeat","id":"systemd-journal","registry_id":"systemd-journal","input_id":"systemd-journal","input_type":"journald","ecs.version":"1.6.0"}
Jan 06 22:26:45 host filebeat[8921]: {"log.level":"info","@timestamp":"2026-01-06T22:26:45.503Z","log.logger":"input.journald.reader.journalctl-runner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/journald/pkg/journalctl.Factory","file.name":"journalctl/journalctl.go","file.line":140},"message":"Journalctl command: journalctl --utc --output=json --no-pager --all --follow --no-tail --boot all","service.name":"filebeat","id":"systemd-journal","input_source":"LOCAL_SYSTEM_JOURNAL","path":"LOCAL_SYSTEM_JOURNAL","input_id":"systemd-journal","ecs.version":"1.6.0"}
Jan 06 22:26:45 host filebeat[8921]: {"log.level":"info","@timestamp":"2026-01-06T22:26:45.504Z","log.logger":"input.journald.reader.journalctl-runner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/journald/pkg/journalctl.Factory","file.name":"journalctl/journalctl.go","file.line":146},"message":"journalctl started with PID 8932","service.name":"filebeat","id":"systemd-journal","input_source":"LOCAL_SYSTEM_JOURNAL","path":"LOCAL_SYSTEM_JOURNAL","input_id":"systemd-journal","ecs.version":"1.6.0"}
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.