Hi Steve,

thanks for your assistance,

For RHEL5, I know its enabled. But based on your questions above, you are 
asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these, 

# cat /proc/cmdline

and

# cat /proc/self/loginuid

would let you check. In the first, make sure audit=1 is there and in the second 
case, the output should be the uid under which you logged into the system.

-Steve

[root@test /root]# cat /proc/cmdline
ro root=LABEL=/ audit=1 rhgb quiet

[root@test /root]# cat /proc/self/loginuid
0

To narrow the circle;

we have some linux servers and a central log collector system. we are sending audit logs to this log system. this log collector system can parse such logs but this system confused at lines with "auid=4294967295" in audit logs.

i have tried everything but still this lines are coming:

type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

and

[root@test /root]# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
session    required     pam_loginuid.so
auth       required     pam_unix.so
auth       required     pam_nologin.so
account    required     pam_unix.so
password   required     pam_unix.so
session    required     pam_unix.so

so is there any other hints or what can i do esle?