On our Ubuntu system, the syslogd daemon is run using the syslog user.

We can confirm this by locating our rsyslogd process and checking the user in the leftmost column:

$ pidof rsyslogd917$ ps -up 917USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDsyslog 917 0.0 0.4 263036 4416 ? Ssl 10:41 0:00 /usr/sbin/rsyslogd -n

And we can see why this user is found by checking out the /etc/rsyslog.conf configuration file:

$ grep PrivDrop /etc/rsyslog.conf$PrivDropToUser syslog$PrivDropToGroup syslog

If you wanted to quickly exclude processes running as root, you might use a quick one-liner such as the following (though it's not perfect by any means).

This is on our CentOS VM:

$ ps aux | grep -v rootUSER PID %CPU %MEM VSZ RSS ...