2023-01-29 22:18:22 +01:00
---
title: Report AppArmor logs
---
2023-10-27 16:27:23 +02:00
The ** [aa-log ](usage.md#apparmor-log )** tool reports all AppArmor `DENIED` and `ALLOWED` . It should be used to fix AppArmor related issues.
2023-01-29 22:18:22 +01:00
2024-01-28 00:13:43 +01:00
While testing, if something get wrong, you need to put the profile in complain mode, so that you can investigate, and it does not block your program.
2023-04-19 20:23:57 +02:00
2024-01-28 00:13:43 +01:00
When creating [an issue on Github][newissue], please post a link to the [paste] of the audit log generated with:
```sh
aa-log -R
```
2024-08-30 21:38:30 +02:00
??? question "No logs with `aa-log` ?"
If the log file is empty, check that Auditd is running:
```sh
sudo systemctl status auditd.service
```
If Auditd is disabled aa-log will not have new results, you can enable Auditd with:
```sh
sudo systemctl enable auditd.service --now
```
If this command produces nothing, use `-s` to provide all logs since boot time (provided that `journalctl` collected them):
2024-01-28 00:13:43 +01:00
```sh
aa-log -s -R
```
2023-01-29 22:18:22 +01:00
2024-08-30 21:38:30 +02:00
??? question "No logs with `aa-log -s` ?"
2024-06-07 21:31:17 +02:00
2024-08-30 21:38:30 +02:00
On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled:
2024-06-07 21:31:17 +02:00
2024-08-30 21:38:30 +02:00
```sh
sudo systemctl enable systemd-journald-audit.socket
```
2024-06-03 20:06:02 +02:00
2024-08-30 21:38:30 +02:00
You can get older logs with:
```sh
aa-log -R -f < nb >
```
Where `<nb>` is `1` , `2` , `3` and `4` (the rotated audit log file).
2024-06-03 20:06:02 +02:00
2023-01-29 22:18:22 +01:00
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new
[paste]: https://pastebin.com/