On Monday, June 5, 2023 6:17:28 PM EDT Vincent Abraham wrote: If you look at the README page of the userspace portion of code, it mentions that there is a netlink api. It simply listens and writes what it finds to disk. Auditing must be enabled and you need to set the pid in the kernel and then listen for events. There is no extensive documentation - the code is the documentation to the low level API. There is also a best effort multicast netlink api that systemd-journald uses to get events out of the kernel. -Steve