Can someone give me an example of how to audit the "date" command in the audit.rules file.  I would like for it to report only failures for a user using the command.  Root using the command would report nothing.  I can get this working for file watches but not for executables using:

-a exit,always  -w /etc/shadow -S open -F success!=1

Thanks!