Hi, I have a machine with IPSEC running (Strongswan) and audit to register some user events. The weird thing is that I'm getting this messages logged without having any rule: Jan 6 00:21:43 nodovpn668 audispd: node=nodovpn668 type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15) seqno=1463943698 My workaround is: auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT Bug or Am I missing something? Regards, Diego -- Diego Woitasen