logparser doesn't understand /var/log/messages format
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
High
|
Steve Beattie | ||
apparmor (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
[impact]
This bug causes tools that use libapparmor to parse syslog and other
logs for apparmor rejections to fail to recognize apparmor events.
[steps to reproduce]
[regression potential]
The patch for this issue is confined to the log parsing portion of
the libapparmor library. Breakages occurring here would most likely
prevent tools that help assist the management of apparmor policy
from working; apparmor mediation would not be impacted. libapparmor
does provide other functionality, mostly around the aa_change_hat(3)
and aa_change_
issues for applications that make use of these from working correctly;
however, there are tests available in the upstream package that get
invoked by the lp:qa-regression-testing test-apparmor.py script that
ensure these continue to function.
[original description]
log parsing (part of libapparmor, used by aa-logprof and aa-genprof) doesn't understand the format in /var/log/messages, which means it doesn't find any events in it.
IIRC I've seen a similar report for the ubuntu syslog format on IRC.
Example log line from openSUSE:
2014-06-
(Workaround: use auditd / audit.log)
Changed in apparmor: | |
status: | Fix Released → Triaged |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
This bug affects users on various distributions, see https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=905368 and https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 771400 - the debian bugreport also contains some example log lines.