Hi, I'm under Debian 10 (kernel 5.4.8-1~bpo10+1) and I installed auditd some weeks ago. Issue: I don't get any AppArmor logs like ALLOWED or DENIED in my /var/log/audit/audit.log while I'm sure I should have some (for example, aa-genprof seems unable to scan my logs and help me to generate an appropriate profile).
I thought AppArmor writes its logs directly in /var/log/audit/audit.log if auditd is already installed, otherwise they go to /var/log/syslog, /var/log/messages or /var/log/kern.log. I have nothing there neither... Did I miss something please? NB: * the only AppArmor related logs I have are some apparmor="STATUS" regarding operation="profile_load" for the most part... * apparmor.service is running and everything is OK with aa-status Thanks in advance :) Best regards, l0f4r0
