Hi Thomas, On Fri, Apr 29, 2022 at 11:31:22AM +0200, Thomas Preisner wrote:
So far, I've been using the following source configuration:
source src { internal(); system(); udp(); udp6(); };
Usually on debian, the system() source resolves to some scl magic including systemd-journal() source driver. This one should collect systemd macros, resulting in things like the following: "_SYSTEMD_UNIT":"xinetd.service","_SYSTEMD_SLICE":"system.slice","_SYSTEMD_CGROUP":"/system.slice/xinetd.service","_SOURCE_REALTIME_TIMESTAMP":"1651475094855675" Although I haven't checked, I guess there is a field holding the information wether or not it's a user or system service. You can check that either using syslog-ng and outputting everything as json, or using journald: journalctl -f -o json If you find a macro that would let you separate the user from the system journal messages, you can then simply use a filter, of an if-else block. Fabien