Recently I was setting up an instance of Journalbeat to publish journald logging to our ELK stack. I wanted to publish only the logs for a select set of applications, so I was using the following configuration.

- paths: []
seek: cursor
cursor_seek_fallback: tail
include_matches:
- "systemd.unit=name_of_application" #this will not work!
- "systemd.unit=another_application" #this will not work!

In this case, upon restarting Journalbeat, it kept repeating the following error in its logs:

Error while reading event: failed to get realtime timestamp: 99

If I removed the “include_matches”-section everything worked just fine. In the end, I found the answer in this Github issue: use the full name of the systemd unit, including .service.

- paths: []
seek: cursor
cursor_seek_fallback: tail
include_matches:
- "systemd.unit=name_of_application.service"
- "systemd.unit=another_application.service"