Hello, I just wanted to see if anyone has had much success with configuring redhat systems to reduce and/or eliminate the occurrence of auid = unset in the audit events?  I found the following redhat article that provides a fix by updating a grub setting for auditd but this doesn’t seem to have much of an effect, as I still see large number of unset values in the logs.

 

https://access.redhat.com/solutions/971883

 

Thank you in advance for any information you may have on this.