logprof doesn't handle marks (in any usefull way)

Logprof should not be marking the messages file. genprof does when you start a profile development run - for this you should see something like " GenProf: 16ab5bf0d80d869e30edcbd2be0f9844". So then running
  "logprof -m 16ab5bf0d80d869e30edcbd2be0f9844"
Would only look at messages after that mark.

Thanks for making this clear! I don't know where the "-- MARK --" in my /var/log/messages comes from (do you know?) but I can confirm now that it's defenitly not logprof who makes them!

But wouldn't it be good if logprof had the ability to make marks? I mean why is someone using logprof? For updating a profile which was to strict or simply to check if the profiled application tried something which is not allowed or? So after someone checked logprof and did some rule changing this should be marked imo because if he tries to update later the profile of another app he gets asked for the same things of the first app again.

My workaround now is simply to manually add a mark to /var/log/messages like simply a new line with the word: MARK. If I now execute "sudo logprof -m MARK" logprof acts correctly and ignores everything before.

But one thing is important to mention: logprof doesn't look for the last mark but for the first!! So if you have:

AA-complainlog1
MARK
AA-complainlog2
MARK

and do logprof -m MARK, logprof will react on the AA-complainlog2 because he just ignores everything before the first MARK found and not the last MARK in /var/log/messages so you have to use everytime another string as MARK. Is this a correct behavior?

greets

Hi.

This is the intended behavior of logprof/genprof (perhaps as you suggest there could be better intended behavior :)

The way its used is that genprof marks the log with a random string to denote the log section it should be looking at when you "Scan For Events" while generating a new profile. So the tools know to ignore everything before the mark.

Its possible that logprof could be modified so that it records the last entry processed (the date or some unique id from the log entry - or even marks the log again and saves the mark). Then on subsequent runs it could start where it left of - so not asking the same questions that you have chosen Deny for.

-dom

It uses the logger command (defined in /etc/apparmor/logprof.conf) to mark the logs.

On Wed, Dec 05, 2007 at 09:59:40AM -0000, Adna rim wrote:
> Thanks for making this clear! I don't know where the "-- MARK --" in my
> /var/log/messages comes from (do you know?) [...]

The syslog daemon itself generates this so that you know that both syslogd
and the system as a whole were up over this time period. The default
syslogd behavior is to generate these marks every 20 minutes; you can
turn it off or alter the interval by editing /etc/default/syslogd to
add the flag "-m [interval]". See the sysklogd(8) for a few more details.

The AppArmor utilities don't intentionally make use of syslogd's
internal marks; instead, they generate their own unique markers to
indicate where they should begin looking at the logfile (when they
aren't looking at the entire logfile),

Thanks.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Okay I wrote now a script which improves logprof with the ability to make and remember marks.

Very cool! You should post this to <email address hidden> (aa development list).

-dom

Thanks for pointing me to this list but I found no place to suscribe to it? I just wrote an email now to it.

greets

http://forge.novell.com/mailman/listinfo/apparmor-dev is the signup page - but before you'll be able to login it will make you sign up for a Novell Forge account.

-dom

Thank you, I finally managed to suscribe myself :)