15898 – JSON audit logging is inconsistent with the rest of the logging subsystem

Bug 15898 - JSON audit logging is inconsistent with the rest of the logging subsystem

Summary: JSON audit logging is inconsistent with the rest of the logging subsystem

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.22.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Gary Lockyer
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-25 15:50 UTC by Kacper
Modified:	2026-03-04 21:19 UTC (History)
CC List:	0 users

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/4392

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kacper 2025-08-25 15:50:17 UTC

Since commit #edab131 (audit_logging: Remove debug log header and JSON Authentication: prefix) (bug #13714), JSON audit logs in Samba are formatted in a way that is difficult to interpret and problematic for log processing.

In Samba, " " (two spaces) is normally used to denote a multiline log entry associated with a specific header. However:

1) Every JSON audit log is prefixed with " ".
2) These entries are appended to the previous log header.

Consequently:

1) JSON audit events visually appear to belong to the preceding header, which is misleading.
2) Systems like rsyslog using readMode 2 fail to correctly ingest the JSON logs because they cannot distinguish them from the previous multiline log entry.

Comment 1 Gary Lockyer 2026-01-22 23:48:58 UTC

Merge request https://gitlab.com/samba-team/samba/-/merge_requests/4392

Comment 2 Samba QA Contact 2026-01-29 00:34:04 UTC

This bug was referenced in samba master:

3c30c4740f40f633b5a71c772374e6c1283ec13c
b86bcc58b0ea43c4ab85e0030a9522c686877043
35cb872ab44ba9fe0782164a979c112705374cee
788af2540eb289fae6780ce7684172c5a3487166