Bug 2129015

Summary: PID logging oddity
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: rsyslogAssignee: Attila Lakatos <alakatos>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: dapospis, rsroka, systemd-maint-list, zjedrzej
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rsyslog-8.2102.0-115.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:33:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journalctl output none

Description Marko Myllynen 2022-09-22 09:59:08 UTC 
Created attachment 1913478 [details]
journalctl output

Description of problem:
Journal shows this on RHEL 9:

Sep 22 08:02:42 localhost systemd[1527]: Started GNOME Shell on X11.
Sep 22 08:02:42 localhost gnome-shell[2202]: Adding device '/dev/dri/card0' (i915) using atomic mode setting.
Sep 22 08:02:43 mars gnome-shell[2202]: Boot VGA GPU /dev/dri/card0 selected as primary

Meaning that gnome-shell is running as PID 2022 and all the references to PID 2202 in the journal are related to gnome-shell. But in /var/log/messages we see:

Sep 22 08:02:42 localhost journal[2202]: Adding device '/dev/dri/card0' (i915) using atomic mode setting.
Sep 22 08:02:43 localhost journal[2202]: Boot VGA GPU /dev/dri/card0 selected as primary
...
Sep 22 08:07:00 localhost gnome-shell[2202]: Window manager warning: W4 appears to be one of the offending windows with a timestamp of 275728.  Working around...

So in /var/log/messages PID 2202 is referring to both journal and gnome-shell, although much more often to journal.

I'm attaching "/usr/bin/journalctl -o verbose _PID=2202" output to show how the message metadata looks like.

This is seen on my laptop which is rebooted every morning and I see this happening every day. Thanks.

Version-Release number of selected component (if applicable):
systemd-250-6.el9_0.1.x86_64
gnome-shell-40.9-2.el9.x86_64
Comment 1 Zbigniew Jędrzejewski-Szmek 2022-09-22 11:30:22 UTC 
Oh, so I misunderstood. I thought 'journalctl' was giving the wrong output, but it's
actually in the text logs. Most likely this has nothing to do with systemd.
Comment 2 Attila Lakatos 2022-09-26 08:51:24 UTC 
Hello,

I assume that you are using the imjournal module to load logs from the journal.
After analyzing the journal output you provided I can see two different kinds of logs:

The first one has identifier as "journal":
Sep 22 08:02:43 localhost journal[2202]: Boot VGA GPU /dev/dri/card0 selected as primary
with metadata: _COMM=gnome-shell
               SYSLOG_IDENTIFIER is NOT specified

The second one has identifier as "gnome-shell":
Sep 22 08:07:00 localhost gnome-shell[2202]: Window manager warning: W4 appears to be one of the offending windows with a timestamp of 275728.
with metadata: _COMM=gnome-shell
               SYSLOG_IDENTIFIER=gnome-shell

As you can see the SYSLOG_IDENTIFIER might be the difference here. Rsyslog does not work with the journals directly, instead we use the journal API. Whatever is passed through the API we display it according to a certain template. Thus, this is not a bug on the rsyslog side.
Let me know what you think. Thanks.
Comment 3 Zbigniew Jędrzejewski-Szmek 2022-09-26 09:12:17 UTC 
This description seems correct, except for the conclusions. As you note, the journal API is used,
which means that rsyslog has access to the same information that the journalctl client does.
The way that the entry looks is under rsyslog's control, being the result of the template used.
Comment 4 Attila Lakatos 2022-09-27 07:31:32 UTC 
This is how the identifier is created:

if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
	CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
} else {
	CHKmalloc(sys_iden = strdup("journal"));
}

So the "journal" field in the message is treated as a fallback. Another thing that I observed from the provided logs is that there is a difference between the used transport method:
 * the first one is received via the native journal protocol(_TRANSPORT=journal)
 * the second one is received from a services's standard output or error output (_TRANSPORT=stdout)
I think the client should provide the SYSLOG_IDENTIFIER field.

If you would like to add the name of the command that invoked the message, then you can do that by specifying a custom template. Every single journal field is stored in a JSON object of the message. If you want to know what journal fields are available to you, then write out the message using the RSYSLOG_DebugFormat template, e.g.: *.* action(type="omfile" File="/var/log/test.log" Template="RSYSLOG_DebugFormat") and you will get something like:

$!:{ "PRIORITY": "6", "_BOOT_ID": "3895bc9247a64d8bbbd982a4e96bbbbb", "_MACHINE_ID": "77f6a405c2a74b63b06593a959555", "_HOSTNAME": "localhost.localdomain", "_TRANSPORT": "syslog", "_COMM": "logger", "_SELINUX_CONTEXT": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", "_GID": "1000", "_UID": "1000", "SYSLOG_IDENTIFIER": "alakatos", "SYSLOG_FACILITY": "22", "SYSLOG_TIMESTAMP": "Sep 27 09:22:29 ", "MESSAGE": "My message 1", "_PID": "14999", "_SOURCE_REALTIME_TIMESTAMP": "1664263349893412" }

These fields are available and you can display as many of them as you would like.
Comment 5 Zbigniew Jędrzejewski-Szmek 2022-09-27 08:42:18 UTC 
Righto. So "journal" is not a very good fallback. Journalctl uses the following logic:
 
        PARSE_FIELD_VEC_ENTRY("SYSLOG_IDENTIFIER=", &identifier, &identifier_len),
        PARSE_FIELD_VEC_ENTRY("_COMM=", &comm, &comm_len),
        ...

        if (mode == OUTPUT_WITH_UNIT && ...) {
                /* Not interesting for rsyslog I guess */

        } else if (identifier && shall_print(identifier, identifier_len, flags)) {
                fprintf(f, " %.*s", (int) identifier_len, identifier);
                n += identifier_len + 1;
        } else if (comm && shall_print(comm, comm_len, flags)) {
                fprintf(f, " %.*s", (int) comm_len, comm);
                n += comm_len + 1;
        } else
                fputs(" unknown", f);

In other words, it uses SYSLOG_IDENTIFIER and falls back to _COMM.
Comment 6 Attila Lakatos 2022-09-27 08:55:13 UTC 
That makes sense. Thanks for the detailed report. Let me take the issue upstream what they think about this.
Comment 7 Attila Lakatos 2022-11-01 06:58:56 UTC 
Attached upstream pull request.
Comment 20 errata-xmlrpc 2023-11-07 08:33:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rsyslog bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6444