[filebeat] Drop __REALTIME_TIMESTAMP from the output that caused the new field "journald.custom.realtime_timestamp" in the final event document

[aleksmaus]

Proposed commit message

Drop __REALTIME_TIMESTAMP from the output that caused the new field "journald.custom.realtime_timestamp" in the final event document.

This field was not stored before, thus it is not mapped and causes an issue with the 8.16-SNAPSHOT
elastic/integrations#10757

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Closes [Stack 8.16.0-SNAPSHOT] [iptables] Failing test daily: system test: journald in iptables.log integrations#10757

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @aleksmaus? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[andrewkroh]

Is the comment on L84 inaccurate? It also says it is used for the timestamp.

[aleksmaus]

It seems like it is not accurate, as far as I understand looking at the current code elastic/integrations#10757 (comment)
@belimawr am I missing some place where it is used?

[belimawr]

The comment on L84 was there before we started using journalctl to read the journal. Looking at the old code, the timestamp field was coming from the library we used, here is the code that reads the journal and sets the timestamps.

When I re-wrote it to use journalctl, I looked at the code and __REALTIME_TIMESTAMP seemed the best choice to keep the behaviour of the old code/library.

So the comment there might be misleading :/.

I did write a test that compares both implementations reading the same journal file, so I believe the behaviour has not changed with the new implementation.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)