Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - In auparse_nomalize, assign user-login as the event kind for AUDIT_LOGIN - In auparse_normalize, move GRP_AUTH to its own event kind, group-change - In auparse_normalize, assign obj_kind values for some group events - In auparse_normalize, assign obj_kind values to some MAC events - In auparse_normalize, try harder to find object for CONFIG_CHANGE events - In auparse_normalize, correct the primary subject field for USER_LOGIN events - In auparse_normalize, correct the primary object field for USER_LOGIN events - Make string lookup tables more robust against bad input - In auparse, make printing lists more robust against bad input - In auparse, make unescaping more robust against bad input - Make ausearch/report a little more robust to bad input - Fix a memory leak in auparse when extracting a buggy date - In ausearch --format mode, load interpretations for enriched events - In auparse, load interpretations for feed events - In audisp-remote, check for stop if stdin is a pipe (#1443107) This release continues adjusting the normalizer mappings. I also spent some time fuzzing the logs and making the utilities more robust. This in theory should never be a problem because the logs are supposed to be well formed from the beginning. But just in case...its batter now. I did find a problem where events that were coming in through the feed API of auparse were not getting the enriched event information loaded. That is now fixed. And we had a report of the audisp-remote plugin getting into an infinite loop if the remote server filled its disk and the remote plugin was supposed to stop on disk full. SHA256: fa65289cffdc95a25bfbdba541f43ee1b12c707090a38fd027dcf9354b9014e7 Please let me know if you run across any problems with this release. -Steve