Some security requirements include auditing events by users and root. So the line might include something like: -F auid=0 -F auid>=500 -F auid!=4294967295 My question is, if you don't include that phrase will the audit system still get everything and not incur a serious performance hit. Effectively it will audit everything for users 1-499, the usual system accounts. Leam -- Mind on a Mission <http://leamhall.blogspot.com/>