Recently I was setting up an instance of Journalbeat to publish journald logging to our ELK stack. I wanted to publish only the logs for a select set of applications, so I was using the following configuration.
- paths: []
seek: cursor
cursor_seek_fallback: tail
include_matches:
- "systemd.unit=name_of_application" #this will not work!
- "systemd.unit=another_application" #this will not work!
In this case, upon restarting Journalbeat, it kept repeating the following error in its logs:
Error while reading event: failed to get realtime timestamp: 99
If I removed the “include_matches”-section everything worked just fine. In the end, I found the answer in this Github issue: use the full name of the systemd unit, including .service.
- paths: []
seek: cursor
cursor_seek_fallback: tail
include_matches:
- "systemd.unit=name_of_application.service"
- "systemd.unit=another_application.service"
Top comments (0)