m-kress
commented
4 years ago How exactly do you want to look the format like? Can you find out, why AppArmor isn't able to parse the logs and give a example here, how it should look like?
Open tastytea opened 4 years ago
m-kress
commented
4 years ago How exactly do you want to look the format like? Can you find out, why AppArmor isn't able to parse the logs and give a example here, how it should look like?
tastytea
commented
4 years ago I'm not sure what exactly AppArmor expects, but it looks for /var/log/syslog, /var/log/messages and /var/log/kern.log. That makes me think it looks for files in the “traditional” format: DATE HOSTNAME TAG: MESSAGE (example: Dec 14 12:24:51 xubuntu-1804-vm blueman-mechanism: loading Network).
It would be great if i could either define my own log format or use a predefined compatibility-format, like this:
syslogd format :
facility = "*"
minimum = 6
format = syslogd
logdir = "/var/log/compat"
orlitzky
commented
3 years ago metalog:
Apr 10 05:09:58 [postfix/pickup] ACA40363C63: uid=0 from=<root>syslog-ng:
Apr 10 04:31:43 mail2 postfix/pickup[31770]: 4FHSsC2t90z448K: uid=0 from=<root>Most log analysis tools take the lazy approach and match those log entries with a regular expression. The missing hostname and PID in particular cause problems for tools like postfix-logwatch.
AppArmor can't parse Metalog's logs. It would be nice to be able to switch to the syslogd-format per section.