I'm using AppArmor and it sometimes returns many audit logs. By default there was something like this in the journal:
... audit[1397]: AVC apparmor= ... ... kernel: audit: type=1400 audit(1523275695.613:76): apparmor= ... So there are two entries and they carry the same message. So the message is doubled. The first message disappears when systemd-journald-audit.socket is masked, but what about the second message? Basically I want to remove the AppArmor logs only from the journal and not from the whole system. They could be logged by rsyslog and placed in some file/FIFO device. Is there a way to get rid of the second message from the journal only somehow? -- Morfik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
