Rsyslog followup -- apparmor problem
62 views
Skip to first unread message
John Steggall
Dec 8, 2025, 11:24:55 PM (9 days ago) Dec 8
to weewx-user
I've set up separate rsyslog logging for weewx, following the documentation and Vince's recent post. This is on a Linux Mint 22.2 system with an apt installation of weewx. When I restart rsyslog, I get the following error:
2025-12-08T20:07:51.092692-08:00 XPS-13-9370 kernel: audit: type=1400 audit(1765253271.090:163): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/etc/weewx/rsyslog.d/weewx.conf" pid=1343000 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=131
I did a bit of research on apparmor and it looks like kind of a pain to navigate (e.g., https://www.maketecheasier.com/understanding-apparmor-in-ubuntu-linux/).
Wondering if anyone has an easy solution or perhaps I should disable apparmor for rsyslog?
-js
vince
Dec 9, 2025, 1:17:31 AM (9 days ago) Dec 9
to weewx-user
Not an apparmor user, but I do have a question. Why would the os possibly be complaining about /etc/weewx/rsyslog.d/weewx.conf which is a provided template file you're supposed to copy to /etc/rsyslog.d ? You didn't symlink to it or something did you ? You're supposed to copy it into the /etc/rsyslog.d directory...
John Steggall
Dec 13, 2025, 2:07:37 PM (4 days ago) Dec 13
to weewx-user
In the my original post I had followed the recipe specified in:
Make rsyslog on Linux save WeeWX logs separate from system
https://github.com/weewx/weewx/wiki/logging
That resulted in the error messages I mentioned above. Though the wiki specifies symlinking from the directory /etc/rsyslog.d/ to /etc/weewx/rsyslog.d/weewx.conf, Vince suggested that the weewx.conf file should instead be copied to /etc/rsyslog.d/. Indeed, this was *part* of the solution, at least for Linux Mint (an Ubuntu derivative). Apparmor did *not* like the symlink.
On the other hand, logrotate does not mind if /etc/logrotate.d/weewx is a symlink to /etc/weewx/logrotate.d/weewx.
After, some debugging, here is a list of other things I had to do in order to get separate logging to work on my system (Linux Mint 22.2 and probably Ubuntu):
* /var/log/weewx -- remove group write permissions from this directory:
$ sudo chmod g-w /var/log/weewx
* /etc/weewx/logrotate.d/weewx -- should be owned by root, with weewx group
$ sudo chown root:weewx /etc/weewx/logrotate.d/weewx
* /etc/weewx/logrotate.d/weewx -- remove group write permissions:
$ sudo chmod g-w /etc/weewx/logrotate.d/weewx
* /var/log/weewx/weewxd.log must be owned by syslog:
$ sudo chown syslog:syslog /var/log/weewx/weewx.log
Make rsyslog on Linux save WeeWX logs separate from system
https://github.com/weewx/weewx/wiki/logging
That resulted in the error messages I mentioned above. Though the wiki specifies symlinking from the directory /etc/rsyslog.d/ to /etc/weewx/rsyslog.d/weewx.conf, Vince suggested that the weewx.conf file should instead be copied to /etc/rsyslog.d/. Indeed, this was *part* of the solution, at least for Linux Mint (an Ubuntu derivative). Apparmor did *not* like the symlink.
On the other hand, logrotate does not mind if /etc/logrotate.d/weewx is a symlink to /etc/weewx/logrotate.d/weewx.
After, some debugging, here is a list of other things I had to do in order to get separate logging to work on my system (Linux Mint 22.2 and probably Ubuntu):
* /var/log/weewx -- remove group write permissions from this directory:
$ sudo chmod g-w /var/log/weewx
* /etc/weewx/logrotate.d/weewx -- should be owned by root, with weewx group
$ sudo chown root:weewx /etc/weewx/logrotate.d/weewx
* /etc/weewx/logrotate.d/weewx -- remove group write permissions:
$ sudo chmod g-w /etc/weewx/logrotate.d/weewx
* /var/log/weewx/weewxd.log must be owned by syslog:
$ sudo chown syslog:syslog /var/log/weewx/weewx.log
vince
Dec 13, 2025, 2:27:03 PM (4 days ago) Dec 13
to weewx-user
My experience with selinux (similar though different) is that it freaked out when I symlinked things in a way the os policies didn't expect me to do. I had to jump through a bunch of hoops to tweak the os selinux policies to do its thing based on how I (the system integrator) wanted things to look like. Eventually I just turned selinux off as it was too much pain to deal with.
Yeah. I know. I know. I know. :-)
Reply all
Reply to author
Forward
0 new messages