Steve: Thanks for the quick response - Did a little test on a X86-64 SLES10 SP1 RC2 system - sshed into in and did see the USER_LOGIN line then got out via either an exit or logout and never see an USER_END statement. Here's the relevant lines from /var/log/audit/audit.log: type=USER_AUTH msg=audit(1180108586.633:1292): user pid=31247 uid=0 auid=4294967295 msg='PAM: authentication acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)' type=USER_ACCT msg=audit(1180108586.633:1293): user pid=31247 uid=0 auid=4294967295 msg='PAM: accounting acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X,, terminal=ssh res=success)' type=LOGIN msg=audit(1180108586.637:1294): login pid=31248 uid=0 old auid=4294967295 new auid=6122 type=USER_START msg=audit(1180108586.637:1295): user pid=31248 uid=0 auid=6122 msg='PAM: session open acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)' type=CRED_REFR msg=audit(1180108586.637:1296): user pid=31248 uid=0 auid=6122 msg='PAM: setcred acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)' type=USER_LOGIN msg=audit(1180108586.641:1297): user pid=31245 uid=0 auid=4294967295 msg='uid=6122: exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=/dev/pts/1 res=success) gui, the console, and ssh and then using grep on the log file it appears that the other two routes record both login's and logout's but ssh only records logins. Could this be an issue in Suse's implementation of audit? Thanks! Michael On 5/25/07, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: