elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Open jamiehynds opened 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
andrewkroh
commented
1 year ago I think the best way to implement this would be to enhance the journald input to expose the ability to use time filtering. Then we can pass through a relative time filter like --since=now-{{ignore_older}} under the assumption that filtering at the source is a lot more efficient that trying to filter after reading and parsing the data.
--since option. https://www.freedesktop.org/software/systemd/man/journalctl.html#
efd6
commented
1 year ago I have a sketch for the change to the input, but I'm not particularly happy with it. It's based around using an open with parameter and it requires that the seek option be ignored if the since option is set.
elasticmachine
commented
7 months ago Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
andrewkroh
commented
7 months ago The feature has been available in Filebeat since 8.10. See
seek: cursor
cursor_seek_fallback: since
since: -24hThe input package around it needs updated to expose the setting.
The new 'Custom Journald' integration does not include the 'ignore older than' setting, which other integrations include (e.g. System). Can we add the 'Ignore older than' setting under advanced options to the Journald integration?