Hi, I've just started using auditing utilities to monitor filesystem events. I'm using audit-1.5.2 version. The problem is as follows: If I do "auditctl -a entry,always -w /etc/passwd", then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command is logged in the log file. However, if I do "auditctl -a entry,always -w /etc", then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command is not logged in the log file. However, the "vim" command is recorded if I use vim to open that "/etc/passwd" file. Is this the preassumed behavior for the auditing system or have I misconfigured something? Any clues on that? ps: Is there a better way to monitor the whole filesystem behaviors, such as open, create, delete syscalls, instead of just monitoring a single directory? Thanks for your help, Xi