Hello, I just wanted to see if anyone has had much success with configuring redhat systems to reduce and/or eliminate the occurrence of auid = unset in the audit events? I found the following redhat article that provides a fix by updating
a grub setting for auditd but this doesn’t seem to have much of an effect, as I still see large number of unset values in the logs.
https://access.redhat.com/solutions/971883
Thank you in advance for any information you may have on this.