hvisage/metalog

Allow to switch to “traditional” log format.

tastytea opened this issue · 3 comments

AppArmor can't parse Metalog's logs. It would be nice to be able to switch to the syslogd-format per section.

How exactly do you want to look the format like? Can you find out, why AppArmor isn't able to parse the logs and give a example here, how it should look like?

I'm not sure what exactly AppArmor expects, but it looks for /var/log/syslog, /var/log/messages and /var/log/kern.log. That makes me think it looks for files in the “traditional” format: DATE HOSTNAME TAG: MESSAGE (example: Dec 14 12:24:51 xubuntu-1804-vm blueman-mechanism: loading Network).

It would be great if i could either define my own log format or use a predefined compatibility-format, like this:

syslogd format :
    facility = "*"
    minimum  = 6
    format = syslogd
    logdir   = "/var/log/compat"

metalog:

Apr 10 05:09:58 [postfix/pickup] ACA40363C63: uid=0 from=<root>

syslog-ng:

Apr 10 04:31:43 mail2 postfix/pickup[31770]: 4FHSsC2t90z448K: uid=0 from=<root>

Most log analysis tools take the lazy approach and match those log entries with a regular expression. The missing hostname and PID in particular cause problems for tools like postfix-logwatch.