Bug 2168363

Summary: syslog messages do not get categorized under a systemd unit
Product: Red Hat Enterprise Linux 8 Reporter: Dalibor Pospíšil <dapospis>
Component: systemdAssignee: systemd maint <systemd-maint>
Status: NEW --- QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.8CC: dtardon, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2023-02-08 19:53:57 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
systemd-239-71.el8
usbguard-1.0.0-13.el8

How reproducible:
100%

Steps to Reproduce:
1. systemctl stop usbguard
2. since=$(date +"%F %T")
3. sleep 1
4. echo "SomeNonexistentDirective=12345" >> /etc/usbguard/usbguard-daemon.conf
5. systemctl reset-failed usbguard
6. systemctl restart usbguard
7. sleep 2
8. journalctl --flush
9. sleep 1
10. journalctl -u usbguard -l --since '$since' --no-pager 

Actual results:
no messages coming from the usbguard-daemon

Expected results:
messages like
Feb 08 20:45:54 sopos-rhel9-brq usbguard-daemon[119481]: Error: parsed key is not in key set: 'SomeNonexistentDirective'
Feb 08 20:45:53 sopos-rhel9-brq usbguard-daemon[119445]: KeyValueParser: Parser: Invalid key

Additional info:
RHEL-9 works as expected

These are the missing properties of the journal messages on rhel8 in comparison to rhel9:
_RUNTIME_SCOPE
_SYSTEMD_SLICE
_EXE
_CMDLINE
_SYSTEMD_CGROUP
_SYSTEMD_UNIT
SYSLOG_TIMESTAMP
_SYSTEMD_INVOCATION_ID
Comment 1 David Tardon 2023-02-09 16:05:28 UTC 
(In reply to Dalibor Pospíšil from comment #0)
> Steps to Reproduce:
> 1. systemctl stop usbguard
> 2. since=$(date +"%F %T")
> 3. sleep 1
> 4. echo "SomeNonexistentDirective=12345" >>
> /etc/usbguard/usbguard-daemon.conf
> 5. systemctl reset-failed usbguard

This is not needed. `systemctl start` (or restart) doesn't care about the initial state.

> 6. systemctl restart usbguard
> 7. sleep 2
> 8. journalctl --flush

This does something else than you think.

> 9. sleep 1
> 10. journalctl -u usbguard -l --since '$since' --no-pager 
> 
> Actual results:
> no messages coming from the usbguard-daemon

This looks like a known race: the daemon had exited too quickly, before journald has had a chance to determine its cgroup. It only happens with legacy/hybrid cgroup hierarchy, though; it works fine with unified hierarchy (which is used by default on RHEL-9, hence the problem doesn't manifest there either)...
Comment 2 Dalibor Pospíšil 2023-02-14 21:41:28 UTC 
So what would be the recommendation to make it work correctly on RHEL-8?