Monitoring and logging

AppArmor provides detailed auditing capabilities to help administrators monitor confinement, understand application behavior, and troubleshoot policy denials. When an application attempts an action that is restricted by its profile, AppArmor intercepts the action and generates an audit log entry.

These audit logs—typically routed through auditd, dmesg, or the system journal depending on your configuration—are essential for maintaining and refining your security posture. Monitoring these events allows you to quickly identify legitimate application changes that may require profile updates, or catch abnormal activities that could indicate a security threat.

The resources in this section will guide you through capturing, reading, and correctly interpreting AppArmor logs, as well as updating policies to fix unexpected application failures caused by denials.