I’m looking at creating a snap for journalbeat. A default config to follow all systemd journals seems to be to check /dev/log , which is not allowed in log_observe. If you try and follow actual journal files, knowing some of the names in advance makes it a bit tricky, and makes maintaining a config more cumbersome on difference use cases.
Could there be a case to allow read access to /dev/log in log_observe ?
Sorry, this seems to have been lost in the backlog, this seems like a reasonable thing to add to the interface with read access at least, if you feel comfortable proposing a PR, these lines:
although you may need additional rules on systems other than UC20 if the /dev/log file is actually a device node and not just a symlink somewhere in /run