The character ^], from 'man ascii': 035 29 1D GS (group separator) 135 93 5D ] is common in /var/log/audit.log. Is there some explanation for it? Apparently it was not the case in 2.8.5 (rhel7), but appears common in audit 3.0.7 or newer.
Yes, the group separator is used to mark the end of the event and the beginning of interpreted data. This standard has been published for at least 7 years: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment This information is processed by the audit utilities to accurately determine user mappings when the logs are viewed on a remote system.
Thanks Steve. As you described earlier (making it clear here) if one wants to avoid the control character, can set 'raw' to 'log_format' in /etc/audit/auditd.conf, but that will cause the logs to not be transportable to other systems.