Does anyone know if the auditd on RHEL4 is capable of capturing logon/logoff and failed authentication events?  This seems to work flawlessly without any additional changes on a RHEL5 system.
Would this just be a configuration change in the PAM stack to allow auditd to get these events, rather than using syslog?

Any ideas would be helpful.

Thanks,
Kevin