The latest audit messages are actually not present in /var/log/messages or /var/log/daemon. They do however show up when running dmesg. root@thosjo-lab:~# grep audit /var/log/messages /var/log/daemon.log| wc -l 0 root@thosjo-lab:~# dmesg|grep audit| wc -l 646 root@thosjo-lab:~# dmesg|grep audit | tail -n5 [28191.924373] type=1502 audit(1225212747.947:22163): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/loadavg" pid=4836 profile="/usr/lib/sm.bin/sendmail" [28196.924211] type=1502 audit(1225212752.947:22164): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/loadavg" pid=4836 profile="/usr/lib/sm.bin/sendmail" [28196.924383] type=1502 audit(1225212752.947:22165): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/loadavg" pid=4836 profile="/usr/lib/sm.bin/sendmail" [28201.924204] type=1502 audit(1225212757.947:22166): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/loadavg" pid=4836 profile="/usr/lib/sm.bin/sendmail" [28201.924391] type=1502 audit(1225212757.947:22167): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/loadavg" pid=4836 profile="/usr/lib/sm.bin/sendmail" root@thosjo-lab:~# aa-logprof Reading log entries from /var/log/messages. Updating AppArmor profiles in /etc/apparmor.d. sys------------------besyspupupu----------------besyspupupu--sys--------------------------------------------root@thosjo-lab:~# root@thosjo-lab:~# zgrep audit /var/log/* | tail -n 5 /var/log/messages.3.gz:Oct 1 16:42:33 thosjo-lab kernel: [23249.323475] type=1502 audit(1222872153.928:30857): operation="socket_recvmsg" family="inet" sock_type="stream" protocol=6 pid=7184 profile="null-complain-profile" /var/log/messages.3.gz:Oct 1 16:42:34 thosjo-lab kernel: [23249.323739] type=1502 audit(1222872153.928:30858): operation="socket_recvmsg" family="inet" sock_type="stream" protocol=6 pid=7184 profile="null-complain-profile" /var/log/messages.3.gz:Oct 1 16:42:34 thosjo-lab kernel: [23249.323778] type=1502 audit(1222872153.928:30859): operation="socket_recvmsg" family="inet" sock_type="stream" protocol=6 pid=7184 profile="null-complain-profile" /var/log/messages.3.gz:Oct 1 16:42:34 thosjo-lab kernel: [23249.324893] type=1502 audit(1222872153.930:30860): operation="file_lock" requested_mask="k::" denied_mask="k::" fsuid=1000 name="/home/thosjo/.mozilla/firefox/y5e0krtz.default/urlclassifier3.sqlite" pid=7197 profile="null-complain-profile" /var/log/messages.3.gz:Oct 1 16:42:40 thosjo-lab kernel: [23254.518714] type=1502 audit(1222872159.122:30896): operation="socket_recvmsg" family="inet" sock_type="stream" protocol=6 pid=7184 profile="null-complain-profile" root@thosjo-lab:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 8.10 Release: 8.10 Codename: intrepid root@thosjo-lab:~# uname -a && dpkg -l |grep apparmor Linux thosjo-lab 2.6.27-7-generic #1 SMP Fri Oct 24 06:42:44 UTC 2008 i686 GNU/Linux ii apparmor 2.3+1289-0ubuntu4 User-space parser utility for AppArmor ii apparmor-utils 2.3+1289-0ubuntu4 Utilities for controlling AppArmor ii libapparmor-perl 2.3+1289-0ubuntu4 AppArmor library Perl bindings ii libapparmor1 2.3+1289-0ubuntu4 changehat AppArmor library root@thosjo-lab:~# aa-status apparmor module is loaded. 10 profiles are loaded. 3 profiles are in enforce mode. /usr/share/gdm/guest-session/Xsession /usr/lib/cups/backend/cups-pdf /usr/sbin/cupsd 7 profiles are in complain mode. /usr/sbin/ntpd /usr/sbin/acpid /sbin/syslogd /usr/lib/sm.bin/sendmail /sbin/dhclient3 /sbin/wpa_supplicant /usr/lib/firefox-3.0.3/firefox.sh 8 processes have profiles defined. 0 processes are in enforce mode : 8 processes are in complain mode. /usr/lib/sm.bin/sendmail (4836) /usr/sbin/ntpd (5375) /sbin/wpa_supplicant (5080) /usr/sbin/ntpd (5376) null-complain-profile (5020) /sbin/dhclient3 (5221) /usr/sbin/acpid (4349) /sbin/syslogd (4468) 0 processes are unconfined but have a profile defined.