Currently, the container Image of filebeat ships with Ubuntu 20.04 ("focal") as OS which uses libsystemd0 version 245.
However, this is incompatible with newer Host OS versions, as most of them use a systemd version >=246, which introduced zstd compression:
* systemd-journald gained support for zstd compression of large fields
in journal files. The hash tables in journal files have been hardened
against hash collisions. This is an incompatible change and means
that journal files created with new systemd versions are not readable
with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
environment variable for systemd-journald.service is set to 0 this
new hardening functionality may be turned off, so that generated
journal files remain compatible with older journalctl
implementations.
Source: systemd/NEWS at 114e85d28e9543e39d25414475c3f7e70a6fcbbb · systemd/systemd · GitHub
Thus, when using the container image the journald input does not ship logs anymore, unless the compression and hardening is deactivated on the host.
The issue has also been discussed multiple times (journalbeat):
- JournalBeat Stopped Shipping Logs
- [Journalbeat] Can't read journal logs since systemd 246 · Issue #22129 · elastic/beats · GitHub
- Journalbeat skips connection to logstash or elasticsearch · Issue #23220 · elastic/beats · GitHub
And the most recent one (covering the journald input of filebeat):
AFAIK right now there is no "official" resolution to this issue within filebeat. One solution I tried is to update the Ubuntu version of the filebeat image to the newest LTS 22.04, and I suggested also an update of it in the issue above, which ships with libsystemd0 v249.
I researched a bit, and for example fluentbit got rid of this issue by simply using a backported libsystemd version in Debian, but for Ubuntu there seems to be no such backport. So would it be possible to get an official container image with Ubuntu 22.04?