It’s not clear to me how the different acquisitons are related to the parsers. For example, can I group all my journal filters in a single stanza like this?:
I understand that type: syslog is required for all journal acquisitions, but how does the parser know which logs to use? When using log files you use for example type: authelia which makes apparent that the authelia parse will use that. It’s unclear how this works.
Do all the parsers parse everything from the journal?
So the way it works is there is multiple stages typically s00-raw , s01-parse and s02-enrich. Within s00 this stage is used to normalize the log lines if your reading from syslog or from a file its a pre parse to the application logic which is in s01.
So for example a typical syslog log line holds the “program” name within the line:
<timestamp> <host> <program>[<pid>] <message>
This means as long as the parser and the <program> has the same naming then this is what is used to inform the s01 stage of which parser to use. Now when it comes to file acquisition there is no program name within the log line so that is when we expect you to set labels.type to the program name itself.
Not every parser has been tested via syslog, so for example if you try it and it doesnt work then providing example syslog lines may aid us in debugging further.