I'm using AppArmor and it sometimes returns many audit logs. By default there
was something like this in the journal:

... audit[1397]: AVC apparmor= ...
... kernel: audit: type=1400 audit(1523275695.613:76): apparmor= ...

So there are two entries and they carry the same message. So the message is
doubled. The first message disappears when systemd-journald-audit.socket is
masked, but what about the second message?

Basically I want to remove the AppArmor logs only from the journal and not from
the whole system. They could be logged by rsyslog and placed in some file/FIFO

Is there a way to get rid of the second message from the journal only somehow?


Attachment: signature.asc
Description: OpenPGP digital signature

systemd-devel mailing list

Reply via email to