Thanks Kevin.

The systems are at RHEL server release 6.5 (Santiago)

audit.conf and audit.rules shown below from two systems.

[$2E5A48941B4237A7.jpg]   

[$4BB798908265A452.jpg] 



[$7FF5FF0F1959CCFE.jpg]   

[$3C2E87B6222AF600.jpg] 




Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin@us.ibm.com
(Office): (720) 395-2049

"The only easy day was yesterday."
    - US Navy Seals -





From:        "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
To:        Briane Lin/Phoenix/IBM@IBMUS
Date:        06/04/2014 07:00 AM
Subject:        RE: EXT :Need help, we are receiving type=SYSCALL with auid=unset event entries



You might get some better help if you can be a bit more specific.
What version of auditd, kernel, etc. are you running?
What do the contents of your audit.rules and auditd.conf files look like?
 
 
 
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Briane Lin
Sent: Tuesday, June 03, 2014 4:29 PM
To: linux-audit@redhat.com
Subject: EXT :Need help, we are receiving type=SYSCALL with auid=unset event entries
 
We are receiving LINUX RHEL versions 5 and 6 in our environment with type=SYSCALL and auid=unset event types.

We are unable to properly monitor an event with AUID=unset, does anyone know why we are currently seeing these and what is the resolution?

Thanks!

Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin@us.ibm.com
(Office): (720) 395-2049

"The only easy day was yesterday."
   - US Navy Seals -