AppArmor

Unable to use aa-logprof to generate log in audit.log

Bug #1771491 reported by Anju
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

Hi,
In my setup , we have configure audit.log to have the apparamor messages. I enabled complain mode for my process and i get the error in audit.log in the following format.

node=compute-0-1.domain.tld type=AVC msg=audit(1526403807.904:3870854): apparmor="ALLOWED" operation="recvmsg" profile="/usr/sbin/ovs-vswitchd" pid=88501 comm="ovs-vswitchd" laddr=192.168.40.20 lport=52780 faddr=192.168.40.26 fport=6653 family="inet" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"

But when i try to run aa-logprof on this . It is not able to parse this message . Is there some configuration i am missing. How can I generate the logs from this audit.log.

Please help!!
These are the package i have installed.
root@compute-0-1:~# dpkg -l | grep apparmor
ii apparmor 2.10.95-0ubuntu2.6~14.04.1 amd64 user-space parser utility for AppArmor
ii apparmor-utils 2.10.95-0ubuntu2.6~14.04.1 amd64 utilities for controlling AppArmor
ii libapparmor-perl 2.10.95-0ubuntu2.6~14.04.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.10.95-0ubuntu2.6~14.04.1 amd64 changehat AppArmor library
ii python3-apparmor 2.10.95-0ubuntu2.6~14.04.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.10.95-0ubuntu2.6~14.04.1 amd64 AppArmor library Python3 bindings

Revision history for this message
Christian Boltz (cboltz) wrote :

Looks like libapparmor doesn't like this log format :-(

If I remove the node=... part (so that the line starts with type=AVC), it can be parsed.

As a workaround, try

    aa-logprof -f <( sed 's/node=compute-0-1.domain.tld //' audit.log)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.