Logging and Auditing

All AppArmor events are logged using the system's audit interface (the auditd logging to /var/log/audit/audit.log). On top of this infrastructure, event notification can be configured. Configure this feature using YaST. It is based on severity levels according to /etc/apparmor/severity.db. Notification frequency and type of notification (such as e-mail) can be configured.

If auditd is not running, AppArmor logs to the system log located under /var/log/messages using the LOG_KERN facility.

Use YaST for generating reports in CSV or HTML format.

The Linux audit framework contains a dispatcher that can send AppArmor events to any consumer application via dbus. The GNOME AppArmor Desktop Monitor applet is one example of an application that gathers AppArmor events via dbus. To configure audit to use the dbus dispatcher, just set the dispatcher in your audit configuration in /etc/audit/auditd.conf to apparmor-dbus and restart auditd:

dispatcher=/usr/bin/apparmor-dbus

Once the dbus dispatcher is configured correctly, add the AppArmor Desktop Monitor to the GNOME panel. As soon as a REJECT event is logged, the applet's panel icon changes appearance and you can click the applet to see the number of reject events per confined application. To view the exact log messages, refer to the audit log under /var/log/audit/audit.log. Use the YaST Update Profile Wizard to adjust the respective profile.