[syslog-ng] Filtering all systemd user service logs
Fabien Wernli
wernli at in2p3.fr
Mon May 2 07:09:52 UTC 2022
Hi Thomas,
On Fri, Apr 29, 2022 at 11:31:22AM +0200, Thomas Preisner wrote:
> So far, I've been using the following source configuration:
>
> source src
> {
> internal();
> system();
> udp();
> udp6();
> };
Usually on debian, the system() source resolves to some scl magic including
systemd-journal() source driver. This one should collect systemd macros,
resulting in things like the following:
"_SYSTEMD_UNIT":"xinetd.service","_SYSTEMD_SLICE":"system.slice","_SYSTEMD_CGROUP":"/system.slice/xinetd.service","_SOURCE_REALTIME_TIMESTAMP":"1651475094855675"
Although I haven't checked, I guess there is a field holding the information
wether or not it's a user or system service. You can check that either using
syslog-ng and outputting everything as json, or using journald:
journalctl -f -o json
If you find a macro that would let you separate the user from the system
journal messages, you can then simply use a filter, of an if-else block.
Fabien
More information about the syslog-ng
mailing list