[apparmor] Regarding apparmor logging
John Johansen
john.johansen at canonical.com
Tue Jul 13 16:44:51 UTC 2021
On 7/13/21 8:29 AM, swarna latha wrote:
> Hi,
>
> I would like to redirect the apparmor logs from journalctl to my log file, so that i
> get only apparmor logs, i can act on.
>
> Can you please let me know if there is any config option for this, or point me to the code where I can specify my log file.
>
apparmor uses the kernel audit subsystem. If you install auditd its messages will go through auditd and you would configure filtering rules there. If you are not using auditd then the messages will go through the kernel dmesg buffer and be picked up as part of the kernel log. In this case you will need to configure your userspace audit system, systemd, syslog, rsyslog ... to filter the rules to a separate file. Each of these systems are capable of doing this, however the details of doing it in each one are different.
More information about the AppArmor
mailing list