-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid SYSLOG_PID for (systemd) journal messages #5431
Comments
@sigv , do I understand correctly actual domain name you are using is different (not |
Indeed, we are not using My simplified
I do not think further logs are of relevance, but if there is anything I can try collect or test, let me know. |
@alexey-tikhonov, do keep in mind, this also seems to affect the other identifiers, such as |
Could you please quote |
Example of
|
Sorry, the above one was by
|
I can't reproduce this so far. |
This is on an up-to-date Ubuntu 20.04 Focal Server installation.
|
The thing is, SSSD doesn't set In your examples:
and
it should be It seems something on your system treats/parses |
Based on a 20.04.1 Server image, fresh installation in a VM including updates.
|
This seems like a fairly minimal example case with no additional integrations from my side. |
This has something to do with Ubuntu 20.04 in particular. That's the current LTS version for Ubuntu, and expected to be the current Server default for one and a half year approximately. I can confirm this by in-place upgrading my VM to Ubuntu 20.10 (Groovy):
I see only |
I have to put this on hold for now, but I will get back with information about whether attempting to use SSSD 2.2.3-3 (the Ubuntu 20.04 version) results in broken logging - two scenarios then. If logs look broken, then the SSSD Ubuntu package on 20.04 is horribly broken. If logs look fine, then something in Systemd Journald is apparently doing bad parsing on the logs as they pass through, in which case this is actually a kind of an upstream (systemd/journald) issue. |
Can't get the 2.2.3-3 source to build on the 20.10 box, without taking a closer look, seems the most likely culprit is incompatible library changes that need some adaptations made. Will just roll back to 20.04 and poke around there, to see if I can get to the root of it. High certainty this will need to be moved over to Launchpad (Ubuntu tracker). |
Opened LP: #1908065 on the Ubuntu side. I will close this ticket as the fix will have to be in the Ubuntu package as a 'stable release update'/SRU with that respective ticket, instead of being handled in the source project here. |
JFTR: imo, this ^^ report doesn't get it right. There is nothing wrong with SSSD package in Ubuntu 20.04 in this aspect. There is something weird with journald that treats part of SYSLOG_IDENTIFIER as SYSLOG_PID. Report doesn't seem to emphasize this. |
Sorry, I did comment on that ticket about how systemd is probably to blame here indeed and will update the ticket notes to include that as well. This will probably be moved over to the systemd package on the Ubuntu tracker instead as need be. |
A bit of a status update: Patch has been provided for Ubuntu Focal (20.04) on Ubuntu packaging side, as SSSD 2.2.3-3ubuntu0.4. The notable change is that The patch also proposes including commits: This was not a problem on the newer Ubuntu versions as those already include This could potentially be a problem for other platforms where SSSD is writing to syslog directly, but 1823353 already resolves this concern globally. |
Thank you for the update. |
On Ubuntu 20.04 (Focal), official package versioned 2.2.3-3.
We are seeing
SYSLOG_PID
field consist of backend information (such as'EXAMPLE.COM]'
) or'sudo'
,'nss'
or'pam'
.According to systemd.journal-fields, this field is not explicitly validated, and should be provided as a number from the application.
This incorrect (non-numeric) PID causes trouble for our Journalbeat to Elasticsearch centralized logging implementation, due to it trying to parse it as a
long
.The text was updated successfully, but these errors were encountered: