15898 – JSON audit logging is inconsistent with the rest of the logging subsystem

Bug 15898 - JSON audit logging is inconsistent with the rest of the logging subsystem

Summary: JSON audit logging is inconsistent with the rest of the logging subsystem

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.22.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-25 15:50 UTC by Kacper
Modified:	2025-08-25 15:50 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kacper 2025-08-25 15:50:17 UTC

Since commit #edab131 (audit_logging: Remove debug log header and JSON Authentication: prefix) (bug #13714), JSON audit logs in Samba are formatted in a way that is difficult to interpret and problematic for log processing.

In Samba, " " (two spaces) is normally used to denote a multiline log entry associated with a specific header. However:

1) Every JSON audit log is prefixed with " ".
2) These entries are appended to the previous log header.

Consequently:

1) JSON audit events visually appear to belong to the preceding header, which is misleading.
2) Systems like rsyslog using readMode 2 fail to correctly ingest the JSON logs because they cannot distinguish them from the previous multiline log entry.