Hi John, I added below entries in one of my profiles which runs under complain mode. *audit /var/** wl,*
As per my script to capture Apparmor logs, I am capturing journalctl -k for every 30 mins in my log path (for instance, /tmp/logs/). However, I could NOT see the expected log entry for this rule audit "/var/** wl," from journalctl -k output. I could see the logs seen if we use *journalctl -a*, but I do not want to copy (to avoid the space) journalctl -a for every 30 mins as it has other additional/debug log information. Do we have any options/configuration to get these logs from *journalctl -k *instead of* journalctl -a*? Thanks Murali.S
