Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Fix memory leak caused by unneeded reference in auparse python bindings - Revise function hiding technique to better protect audit ABI - Interpret old-auid, exit syscall parameters - Create local_events config option to auditd - Create write_logs option for auditd and deprecate NOLOG log_format option This release is mostly to get an updated auparse library in circulation that does not have the memory leak in the get_timestamp function. Offhand I don't know of any problems besides the one bug report. The bug has been there for about 8 years with no other reports so it might not affect much. But, I'd rather be safe than sorry. The other things that people should be aware of is 2 new auditd configuration options. In the last release there was an unannounced command line config option to auditd, -a. This enabled an aggregate only mode. I decided long term it might be better as a auditd.conf option. Its now the local_events option. The default is "yes". If it's set to "no", then it only logs daemon and network originating events. This allows the audit daemon to be put into a container for the sole purpose of aggregating events from other systems. The other new auditd.conf config option is write_logs. In working on the audit event enrichment option, I found that we need to decouple an overused idiom in the log_format option. There was a NOLOG option there that decides if we want to write events to disk. But it turns out that we might not want to write events to disk but we do want to enrich events for the plugins or remote logging. That presents a conflict where we need to separate them. If you currently have log_format = NOLOG, the you should now set write_logs = no. You can then put log_format = raw and it won't do any harm. For the time being, a NOLOG log_format setting will override write_logs to "no" so that its backwards compatible. Please let me know if you run across any problems with this release. -Steve