Incorrect log level assignment for auditd messages without PRIORITY field

[WAKazuyoshiAkiyama]

Environment

• dlt-daemon: (v2.18.10: 0f2d4cf )
• systemd: 244.5
• audit: 2.8.5
• linux: 5.4

Issue

Currently, dlt-daemon assigns the log level "Emergency" to all journal messages from auditd that lack a PRIORITY field.
This behavior originates from the current implementation of get_journal_msg(), which does not handle cases where the PRIORITY field is missing.

Example message from auditd

Tue 2024-12-24 17:20:49.383000 UTC+9 [s=0272031534e84e679782433f87f4562a;i=56a;b=a5f717e39b1644779bbdff5c09e85249;m=fcc71;t=629ffca66ae5a;x=6093bf34f8a4fa5d]  
    _BOOT_ID=a5f717e39b1644779bbdff5c09e85249  
    _MACHINE_ID=076f208e43f94dab8f210263f82252d0  
    _HOSTNAME=mymachine  
    _UID=0  
    _TRANSPORT=audit  
    _AUDIT_TYPE=1130  
    SYSLOG_FACILITY=4  
    SYSLOG_IDENTIFIER=audit  
    _AUDIT_TYPE_NAME=SERVICE_START  
    _PID=1  
    _AUDIT_LOGINUID=4294967295  
    _AUDIT_SESSION=4294967295  
    _SELINUX_CONTEXT=system_u:system_r:init_t:s0  
    AUDIT_FIELD_COMM=systemd  
    AUDIT_FIELD_EXE=/lib/systemd/systemd  
    AUDIT_FIELD_HOSTNAME=?  
    AUDIT_FIELD_ADDR=?  
    AUDIT_FIELD_TERMINAL=?  
    AUDIT_FIELD_RES=success  
    _SOURCE_REALTIME_TIMESTAMP=1735028449383000  
    _AUDIT_ID=17  
    MESSAGE=SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udevd comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'  
    AUDIT_FIELD_UNIT=systemd-udevd  

Expected Behavior

Since messages from auditd with SYSLOG_FACILITY=4 do not contain a PRIORITY field, dlt-daemon should determine the appropriate log level based on other fields such as _AUDIT_TYPE.

Possible Improvement

• Modify get_journal_msg() to:
  • Check SYSLOG_FACILITY and _AUDIT_TYPE when PRIORITY is missing.
  • Use a fallback mechanism to infer a more accurate log level rather than defaulting to "Emergency".
    • e.g. If _AUDIT_TYPE is AVC, messages will be classified to "Error" and if not, messages will be classified to "INFO".

Would appreciate any thoughts or suggestions on how best to handle this!

[WAKazuyoshiAkiyama]

Unfortunately, the messages from systemd-logind have SYSLOG_FACILITY=4 field, PRIORITY field and no _AUDIT_TYPE field.
So, checking SYSLOG_FACILITY is 4 might not be enough as the condition.
But, since some message of SYSLOG_FACILITY like systemd-logind one has PRIOLITY field, I think checking if a message has _AUDIT_TYPE field is enough to prevent from the false-positive log level of auditd messages.

Mon 2024-12-23 09:25:02.657785 JST [s=3b31da80470d428abeb67db67ceb8ddb;i=6ee99;b=dc92e416aba049a2ae5f4e126a7169e9;m=268baa3;t=629e5070abd27;x=405155e5d1e7929e]
    _BOOT_ID=dc92e416aba049a2ae5f4e126a7169e9
    _MACHINE_ID=bf3a13f61fc94871a8141ddd096ceb53
    _HOSTNAME=mymachine
    PRIORITY=6
    _UID=0
    _GID=0
    _SYSTEMD_SLICE=system.slice
    _TRANSPORT=journal
    SYSLOG_FACILITY=4
    TID=281
    SYSLOG_IDENTIFIER=systemd-logind
    _PID=281
    _COMM=systemd-logind
    _EXE=/usr/lib/systemd/systemd-logind
    _CMDLINE=/lib/systemd/systemd-logind
    _CAP_EFFECTIVE=24420020f
    _SYSTEMD_CGROUP=/system.slice/systemd-logind.service
    _SYSTEMD_UNIT=systemd-logind.service
    _SYSTEMD_INVOCATION_ID=5d0b6dc5614a48b4b84c3bec4d4afacf
    CODE_FILE=src/login/logind-session.c
    CODE_LINE=712
    CODE_FUNC=session_start
    MESSAGE_ID=8d45620c1a4348dbb17410da57c60c66
    USER_ID=gnome-initial-setup
    SESSION_ID=c6
    LEADER=2085
    MESSAGE=New session c6 of user gnome-initial-setup.
    _SOURCE_REALTIME_TIMESTAMP=1734913502657785