Allow to switch to “traditional” log format.
tastytea opened this issue · 3 comments
AppArmor can't parse Metalog's logs. It would be nice to be able to switch to the syslogd-format per section.
How exactly do you want to look the format like? Can you find out, why AppArmor isn't able to parse the logs and give a example here, how it should look like?
I'm not sure what exactly AppArmor expects, but it looks for /var/log/syslog
, /var/log/messages
and /var/log/kern.log
. That makes me think it looks for files in the “traditional” format: DATE HOSTNAME TAG: MESSAGE
(example: Dec 14 12:24:51 xubuntu-1804-vm blueman-mechanism: loading Network
).
It would be great if i could either define my own log format or use a predefined compatibility-format, like this:
syslogd format :
facility = "*"
minimum = 6
format = syslogd
logdir = "/var/log/compat"
metalog:
Apr 10 05:09:58 [postfix/pickup] ACA40363C63: uid=0 from=<root>
syslog-ng:
Apr 10 04:31:43 mail2 postfix/pickup[31770]: 4FHSsC2t90z448K: uid=0 from=<root>
Most log analysis tools take the lazy approach and match those log entries with a regular expression. The missing hostname and PID in particular cause problems for tools like postfix-logwatch.