PLEASE stop regurgitating LLM responses without checking. It's not helpful. ... View more

Thanks bot. I think AI generated Responses should be marked as such. ... View more

Thanks for your answer! Sorry for being unclear about the intention of my question. I know about the journald inputs but the stanza configs are kind of restricted in terms of filtering and therefore not very useful. For Example, if I want to pick up sshd Logs form journald with an separate stanza I cloud do something like : [journald://sshd] journalctl-filter = _SYSTEMD_UNIT=sshd.service This would ship all Logs of the sshd daemon and it's easy to search them by source="journald://sshd". I could repeat this for all the other services of interest. However I don't want to miss all the other logs that are not covered by separate stanzas. Therefore I'll need  a "catch all" stanza. But this will lead to a lot of duplicates based on the fact, that journald input has no good solution to filter already covered inputs. E.g: `journalctl-exclude-field = _SYSTEMD_UNIT=sshd.service` in my "catch-all"-stanza won't work. If Journald is the future of logging on Linux, this can't be the solution Splunk is offering. Additionally, it's going to make source-typing useless because all inputs will end up with `sourcetype=journald` on the indexer. ... View more

Sorry, but no. Whole functionality of SC4S (or my rsyslog-based solution) depends on transforms working properly on HEC-based events. So no. Transforms do work normally on HEC-ingested data. ... View more

Hi @gcusello , thanks a lot for your quick response! I'll go with the solution you've proposed - seems like a good idea! 🙂 Cheers ... View more