Journald input cannot read read zstd compressed journal

Currently, the container Image of filebeat ships with Ubuntu 20.04 ("focal") as OS which uses libsystemd0 version 245.

However, this is incompatible with newer Host OS versions, as most of them use a systemd version >=246, which introduced zstd compression:

        * systemd-journald gained support for zstd compression of large fields
          in journal files. The hash tables in journal files have been hardened
          against hash collisions. This is an incompatible change and means
          that journal files created with new systemd versions are not readable
          with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
          environment variable for systemd-journald.service is set to 0 this
          new hardening functionality may be turned off, so that generated
          journal files remain compatible with older journalctl

Source: systemd/NEWS at 114e85d28e9543e39d25414475c3f7e70a6fcbbb · systemd/systemd · GitHub

Thus, when using the container image the journald input does not ship logs anymore, unless the compression and hardening is deactivated on the host.

The issue has also been discussed multiple times (journalbeat):

And the most recent one (covering the journald input of filebeat):

AFAIK right now there is no "official" resolution to this issue within filebeat. One solution I tried is to update the Ubuntu version of the filebeat image to the newest LTS 22.04, and I suggested also an update of it in the issue above, which ships with libsystemd0 v249.

I researched a bit, and for example fluentbit got rid of this issue by simply using a backported libsystemd version in Debian, but for Ubuntu there seems to be no such backport. So would it be possible to get an official container image with Ubuntu 22.04?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.