Why is the programming name of the tlog being logged different?

[wj1225]

Hello!

We want to archive tlog messages using rsyslog.
Messages are logged using a journal.

When we log in to the terminal with the account used by tlog, it is filtered by the programming name as shown below.

cat /var/log/messages |grep tlog

May 22 14:32:07 test-dev1 -tlog-rec-session[180885]: {"ver":"2.3","host":"test-dev1","rec":"50f61539226e4cc18376bbd7d5431435-2c295-2e9f7be","user":"test1" ...

But when I use "SSH" in the remote place, the programming name is output differently as shown below.
For example if I use ansible or sftp it displays differently.

ssh test1@test-dev1 "echo TEST..."
cat /var/log/messages |grep tlog

May 22 14:36:07 test-dev1 tlog-rec-session[182166]: {"ver":"2.3","host":"test-dev1","rec":"50f61539226e4cc18376bbd7d5431435-2c796-2ea5946","user":"test1" ...

I want to set up filtering to use rsyslog, but why is the programming name different?
(-tlog-rec-session // tlog-rec-session)

[justin-stephenson]

This is to indicate that this is a login shell, to the shell process.

Per tlog-rec-session(8)

       If  tlog-rec-session is invoked under a name beginning with a dash (i.e.  argv[0] beginning with '-'), then the executed shell name is also prepended with a dash. This passes the "login shell" status to the recorded shell and
       is equivalent to using the "-l" option.

If you can parse the journal fields (journalctl -o verbose) then you can use the following entries to filter.

    _COMM=tlog-rec-sessio
    _EXE=/usr/bin/tlog-rec-session
    SYSLOG_IDENTIFIER=-tlog-rec-session
    _CMDLINE=-tlog-rec-session