[Apparmor-dev] aa-parselog: simple script that parses log messages and print apparmor messages.

Mathias Gug mathiaz at ubuntu.com
Tue Jun 19 10:02:04 MDT 2007 

Hi steve,

On Fri, Jun 15, 2007 at 01:40:10AM -0700, Steve Beattie wrote:
> > I've attached a small script that I use to parse /var/log/messages and
> > print relevant apparmor messages grouped by profiles and running
> > processes.
> Looks good. I admit that I was thrown off a little bit while testing by
> --all not being the default behavior. 
I've reworked that part. By default it processes all messages for all
profiles. I've changed the --all option to --running to process only
messages for running programs.

> It might be nice to support
> examining multiple files; the linux audit daemon sadly can be somewhat
> brittle and will shut itself down for various reasons, so even in an
> environment where the audit infrastructure is used, apparmor events can
> show up in /var/log/messages.
> 
I've reworked the script to parse log messages from standard
input. That way multiple files can be piped to aa-parselog, and
compressed files (from log rotation) can also be processed:
  $ zcat /var/log/messages.*.gz | aa-parselog

> It also might be nice to coalesce duplicate messages, perhaps with
> a count of how many times that action occurred. 
I've added this feature too.

> > It may be integrated into apparmor_status.
> 
> Hmm. I'm not sure it's the right fit for that, although it might be useful
> for apparmor_status to report counts of rejection and permission messages,
> possibly on a per-profile basis.
I'm thinking about adding this to apparmor_status. The actual messages
don't need to be reported. But I'd like to see if there is any rejection
messages.

> Yes, that would be nice. I think Matt's made good progress on that, and
> may have something to review soon, but he'd have to speak to that.
I'm quite interested to use the logparser library. There are a couple of
places now in the code where log parsing is done. I'm parsing log
messages into aa-parselog, but I'm not sure that every case is covered.

--
Mathias
-------------- next part --------------
#!/usr/bin/perl -w

use strict;
use Getopt::Long;

my $report_running = 0;
my $profile_regex = '';
my $help = 0;

GetOptions(
  'running'	=> \$report_running,
  'profile=s'	=> \$profile_regex,
  'help|h'	=> \$help,
) or usage();

sub usage {
  print "Usage: $0 [OPTIONS]\n";
  print "Parse stdin for apparmor messages and print a summary.\n";
  print "OPTIONS :\n";
  print "  --running          process only messages related to running processes\n";
  print "  --profile=name     restrict processing to the profile. DEFAULT: process all profiles.\n",
  print "  --help    this message\n";
  exit;
}

usage() if $help;

my %status = ();

while (<STDIN>) {
	next unless (/audit\([\d\.:]+\):\s(.+)$/);
	my $msg = $1;
	if ($msg =~ /.*\([^\(]+\((\d+)\).+profile\s(.+)\sactive\s.+\)/) {
		my $pid = $1;
		my $profile = $2;
	   	if ( ( $profile_regex ne '' ? $profile =~ /$profile_regex/ : 1)
	   	     and ( $report_running ? (-e "/proc/$pid") : 1) )  {
			if (defined($status{$profile}{$pid}{$msg})) {
				$status{$profile}{$pid}{$msg}++;
			} else {
				$status{$profile}{$pid}{$msg} = 1 ;
			}
		}
	}
}

while ( my ($profile,$processes) = each(%status) ) {
	print "$profile:\n";
	while( my ($pid,$msgs) = each(%{ $processes }) ) {
		print "    $pid: \n";
		while( my ($msg,$msg_nb) = each(%{ $msgs }) ) {
			print "        $msg_nb: $msg\n";
		}
	}
}

More information about the Apparmor-dev mailing list