USER_END vs USER_LOGOUT

For a group of cloud instances, I am looking to implement a policy whereby any instance will self-destroy if no users were logged into it via ssh for the last X hours. This requires me to track logout events. It seems like the audit log might provide this information. However, looking at that log while a user logs out of an ssh session, I noticed two lines: type=USER_END msg=audit(1399507220.412:179): pid=1327 uid=0 auid=0 ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/0 res=success' type=USER_LOGOUT msg=audit(1399507220.412:180): pid=1327 uid=0 auid=0 ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/0 res=success' They appear to correspond to two other events recorded during the same user's login: type=USER_LOGIN msg=audit(1399507218.420:173): pid=22523 uid=0 auid=0 ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success' type=USER_START msg=audit(1399507218.420:174): pid=22523 uid=0 auid=0 ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success' What is the difference between USER_END and USER_LOGOUT? Which one should I track, in order to capture all session-end events, including the ssh connection being terminated without the user actually typing in "logout"? -- Florin Andrei http://florin.myip.org/