How to make SELinux log to a seperate file

On Debian the sysklogd daemon is installed per default. I worked some time with sysklogd but together with SELinux there were strange problems I could not solve. E.g. the logging stopped for any reason and only a reboot of the machine helped. So I installed syslog-ng which is better anyway and works with SELinux without problems. It has a nice filter system and allows very sophisticated rules.

To tell syslog-ng to write AVC messages to /var/log/audit.log just do the following steps:
vi /etc/syslog-ng/syslog-ng.conf

Between the options and source part insert:

# direct avc messages into /var/log/audit.log
destination avc { file("/var/log/audit.log"); };
filter avc { match("^.*audit.*avc:"); };
log { source(s_all); filter(avc); destination(avc); };

This creates a destination called avc and a filter called avc. It tells syslog-ng to write messages coming from the source s_all (which is already defined by default) to the destination avc if the content matches the regex defined in the filter avc.

To avoid that the avc messages are also written to /var/log/messages modify the following part:

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
        level(info,notice,warn)
            and not facility(auth,authpriv,cron,daemon,mail,news);
};

It should look like this, it's the same regex just negated:

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
        level(info,notice,warn)
          and not match("^.*audit.*avc:")
            and not facility(auth,authpriv,cron,daemon,mail,news);
};

If you have no X running you should also comment out all parts belonging to xconsole, just to avoid useless avc messages.

/etc/init.d/syslog-ng restart
chmod 640 /var/log/audit.log

SELinux Training