Journald and syslog can contain the exact same data at times.
For example, running ansible generates lots of "echo BECOME-SUCCESS-< random string >" messages. I can find the exact same messages in both my journalbeat-* and filebeat-* indexes.
What strategies do you use to deal with that kind of duplication?
Do you watch for it, then tell filebeat or journalbeat to drop events that the other one covers?
Does journald contain all the information syslog would, so we could just ignore syslog?
Any other ideas?