journald filter is ignored if there is a sincedb cursor

[SpComb]

The configured filter => { ... } only gets applied if there is not cursor stored in the sincedb:

logstash-input-journald/lib/logstash/inputs/journald.rb

Line 119 in 723d2f7

@journal.filter(@filter)

This means that the configured filter works on the first logstash run, but restarting logstash causes the plugin to read in all journald entries, not only the filtered entries.

• Version: logstash 6.0.0
• Operating System: Docker docker.elastic.co/logstash/logstash image on RHEL 7
• Config File (if you have sensitive info, please remove it):

input {
        journald {
                path      => "/run/log/journal"
                sincedb_path    => "/tmp/logstash-test/.sincedb_journal"
                seekto    => "tail"
                lowercase => true
                filter    => {
                        "_SYSTEMD_UNIT" => "docker.service"
                        "_TRANSPORT"    => "journal"
                }
                type      => "docker"
                tags      => [ "journald" ]
        }
}

output {
        stdout { codec => rubydebug }
}

• Sample Data:

$ docker run --rm --log-driver journald busybox echo test
test

• Steps to Reproduce:

Run logstash with the sample config, and use docker run --log-driver journald ... to generate a test entry. Observe that only the docker container output is shown in the logstash stdout output.

Restart logstash, and observe that the logstash stdout output now includes all journald events.

Stop logstash, use rm /tmp/logstash-test/.sincedb_journal to clear the sincedb. Restart logstash, and observe that only the Docker container output is visible again.