I'm using AppArmor and it sometimes returns many audit logs. By default there
was something like this in the journal:

... audit[1397]: AVC apparmor= ...
... kernel: audit: type=1400 audit(1523275695.613:76): apparmor= ...

So there are two entries and they carry the same message. So the message is
doubled. The first message disappears when systemd-journald-audit.socket is
masked, but what about the second message?

Basically I want to remove the AppArmor logs only from the journal and not from
the whole system. They could be logged by rsyslog and placed in some file/FIFO
device.

Is there a way to get rid of the second message from the journal only somehow?

--
Morfik

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to