*** This bug is a duplicate of bug 1399027 ***
https://bugs.launchpad.net/bugs/1399027
** Tags added: aa-tools
** This bug has been marked a duplicate of bug 1399027
logparser doesn't understand /var/log/messages format
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1432350
Title:
aa-logprof and aa-genprof work only with audit.log not syslog
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
Ubuntu 14.10
apparmor 2.8.98-0ubuntu2
Analyzing the logs with aa-logprof works when the logs are written by
audid:
# aa-logprof -f /var/log/audit/audit.log
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:
WARN: unknown capability: CAP_setgid
Profile: /usr/sbin/havp
Capability: setgid
Severity: unknown
[1 - #include <abstractions/dovecot-common>]
2 - #include <abstractions/postfix-common>
3 - capability setgid
[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
It does not work when the logs are written to /var/log/syslog
root@apparmor:~# aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
One contained message:
Mar 15 13:20:07 test kernel: [ 3349.757377] audit: type=1400
audit(1426422007.555:122): apparmor="DENIED" operation="unlink"
profile="/usr/sbin/havp" name="/run/havp/havp.pid" pid=10888 comm="havp"
requested_mask="d" denied_mask="d" fsuid=109 ouid=109
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1432350/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
