Description of problem:
According to https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html#SYSLOG_FACILITY= the SYSLOG_FACILITY value is supposed to be an integer "(formatted as decimal string)" (and usually in the range 0 to 23). However, on some systems, we see different values e.g.
> sudo journalctl -m -o export | grep SYSLOG_FACILITY= | grep -v 'SYSLOG_FACILITY=[0-9]' | sort -u
Either journald should somehow sanitize/normalize the SYSLOG_FACILITY values, or the documentation should be updated to notify log viewers/parsers to expect invalid values.
This is causing problems for some log collectors: https://bugzilla.redhat.com/show_bug.cgi?id=1703904#c3
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Note: It'd be easy to use NetworkManager for reproducing the issue. I got these non-digital string facility values in my testing. All of them are from NetworkManager.
Please note that the issue is not observed on RHEL7 even though NetworkManager is launched.
From my testing and analysis of the logs, it's obvious it's the NetworkManager that sends string (sometimes multiple in one entry) SYSLOG_FACILITY values directly. The only way to do that that I'm aware of is to send a journal message via the journal API with such non-standard value. NetworkManager is the culprit and should be fixed.
As far as I know, journald is not a syslog daemon and is not interested in sanitizing invalid syslog fields. This should be documented in systemd.journal-fields.
fix merged to github master branch -> https://github.com/systemd-rhel/rhel-8/pull/2 -> post
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.