jack-ullery
commented
1 year ago Added the capability to read from /var/log/syslog. This still does not include all the DENIED logs we might be interested in. Eventually we should also query auditd logs from /var/log/audit/audit.log, maybe using ausearch
This update changes (yet again) how logs are queried and parsed.
Before, we would use journalctl to query the logs, and jsoncpp to parse them. This had the benefit of comprehensively returning each AppArmor log. The only problem was that it slowed down the interface considerably after a few thousand logs.
Instead, I built a system to parse the logs using libapparmor, which is a library used to parse logs directly from files in
/var/log. This should be considerably faster, but requires us to manually specify which log files to read.Currently, we are only reading logs from
/var/log/kern.logand/var/log/dmesg, but it may eventually be helpful to read from the syslog, which would allow us to read many more logs.Another limitation with our implementation, is that we can only ready logs that a user would normally have permission for. We cannot read any logs that would require super-user privileges.