Filebeat Bug: journal remote directory unhandled

log1 · January 11, 2026, 12:17am

Filebeat version: 8.19.9
OS: Debian 13

Documentation here Journald input | Beats, states:

For example, this configuration will ingest all journals and correctly handle the journald rotation:

- type: journald
  id: journald-id
  paths:
    - /var/log/journal

My configuration:

filebeat.inputs:
- type: journald
  paths:
    - /var/log/journal

I have a journal-remote setup to write a journal file to /var/log/journal/remote/remote-::1.journal (Default location for a daemon sending logs from the local system to the systemd-journal-remote service socket)

Logs do show up in that journal file when I manually check via journalctl --directory /var/log/journal/remote/

Filebeat is successfully reading the normal system journal, but not this remote entry, which is counter to the documentation will ingest all journals

Checking the current command line call from filebeat shows it is using journalctl --utc --output=json --no-pager --all --follow --directory /var/log/journal --boot all

Which does NOT capture the remote directory.

Testing it out manually, with command:

journalctl --utc --output=json --no-pager --all --follow --directory /var/log/journal/remote --boot all

Gives error

No journal boot entry found for the specified boot (+0).

Which, if I change my filebeat configuration to watch the remote directory, results in the same error:

filebeat.inputs:
- type: journald
  paths:
    - /var/log/journal/remote

{"log.level":"error","@timestamp":"2026-01-10T16:09:17.576-0800","log.logger":"input.journald.reader.journalctl-runner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/journald/pkg/journalctl.Factory.func1","file.name":"journalctl/journalctl.go","file.line":87},"message":"Journalctl wrote to stderr: No journal boot entry found for the specified boot (+0).\n","service.name":"filebeat","id":"17CA0B95460BE288","input_source":"/var/log/journal/remote","path":"/var/log/journal/remote","input_id":"","ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2026-01-10T16:09:17.577-0800","log.logger":"input.journald.reader.journalctl-runner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/journald/pkg/journalctl.Factory.func3","file.name":"journalctl/journalctl.go","file.line":154},"message":"journalctl exited with an error, exit code 1 ","service.name":"filebeat","id":"17CA0B95460BE288","input_source":"/var/log/journal/remote","path":"/var/log/journal/remote","input_id":"","ecs.version":"1.6.0"}

So it would seem it is impossible, through the config, to make filebeat read a journal-remote file.

Please correct documentation to annotate this disparity or implement the proper journalctl command to follow a non-boot based journal directory when provided (e.g. /var/log/journal/remote, i.e. the default installation setup for system-journal-remote).

Thank you.

Topic		Replies	Views
Can journalbeat monitor journal entries from remote machines? Beats	2	1097	November 4, 2022
Filebeat jounald input paths parameter issue Beats filebeat	1	61	November 19, 2024
Journalbeat 6.7 repeats old log records after rotation Beats journalbeat	5	1147	November 4, 2022
Journalbeat does not support globbing? Beats journalbeat , filebeat	1	499	October 13, 2020
Journalbeat can't open a log file Beats journalbeat	4	1071	September 22, 2020

Filebeat Bug: journal remote directory unhandled

Related topics