% aa-log(8) % aa-log was written by Alexandre Pujol (alexandre@pujol.io) % September 2024 # NAME aa-log — Review AppArmor generated messages in a colorful way. # SYNOPSIS **aa-log** [*options…*] [*profile*] # DESCRIPTION Review AppArmor generated messages in a colourful way. Support logs from *auditd*, *systemd*, *syslog* as well as *dbus session* events. It can be given an optional profile name to filter the output with. It can be used to generate AppArmor rules from the logs and it therefore an alternative to `aa-logprof(8)`. The generated rules should be manually reviewed and inserted into the profile. Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/audit/` can easily be checked: **aa-log -f 1** parses `audit.log.1` # OPTIONS **aa-log** [*options…*] [*profile*] [*profile*] : Optional profile name to filter the output with. `--file`, `-f` : Set a logfile or a suffix to the default log file. `--systemd`, `-s` : Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. `--rules`, `-r` : Convert the log into AppArmor rules. `--raw`, `-R` : Print the raw log without any formatting. Useful for reporting logs. `--help`, `-h` : Print the program usage. # USAGE To read the AppArmor log from `/var/log/audit/audit.log`: ```sh aa-log ``` To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): ``` $ aa-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r ``` To generate AppArmor rule: ``` $ aa-log -r dnsmasq profile dnsmasq { @{PROC}/@{pid}/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, } ``` # SEE ALSO `aa-logprof(8)`, `apparmor(7)`, `apparmor.d(5)`, `aa-genprof(1)`, `aa-enforce(1)`, `aa-complain(1)`, `aa-disable(1)`, and https://apparmor.pujol.io.