I got this set up and working so I'm going to post what I did here for others.
I just copied the same code as comes default with UFW and modified for apparmor. Now all my apparmor messages go into one log and don't polute the (3) others with junk.
I created a file /etc/rsyslog.d/30-apparmor.conf containing,
Code:
# Log kernel generated apparmor log messages to file
:msg,contains,"apparmor" /var/log/apparmor.log
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated apparmor log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
& ~
That last line can be commented if you want the messages to flow as usual but I wanted it cut down to just the one log file. You have to restart rsyslog but I rebooted anyway since I had other changes pending.
Bookmarks