Re: Audit Prelude Logout Tracking

I''m working on an X86_64 RHEL 5.2 system and for NISPOM Chapt. 8 I'm looking to modify the audisp-prelude plugin so that I can get logout events displayed. I see the information in the audit.log as USER_END and have done a small mod in the handle_event routine in audisp-prelude.c so that it looks for AUDIT_USER_END but I've run across the following things: 1) sshd goes through a login/logout cycle ending in USER_END and all is good. node=node01 type=USER_END msg=audit(1234979707.894:203): user pid=7422 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/sshd" (hostname=master, addr=10.1.4.100, terminal=ssh res=success)' 2) gdm-binary goes through the same login/logout cycle, but on the USER_END audit message it is missing some information, in particular the source hostname: node=master type=USER_END msg=audit(1234988646.589:364): user pid=6868 uid=0 auid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' 3) When crond runs, it goes through a similar cycle (but without the USER_LOGIN step) ending with USER_END node=master type=USER_END msg=audit(1234989001.710:371): user pid=9517 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' I want to ignore the crond operations and be able to fill in the information from gdm-binary. Has any one done this prelude logout tracking before or have any ideas how I can proceed. As always, a pointer to more information is quite acceptable. Dan