listening to /dev/audit in a pthread program

I have an test app that quite happily does an audit_set_pid and then sits there reading /dev/audit. It works fine if its in the lead thread. But when I run the same code in my real app it runs in a different thread. No matter what PID I pass to the audit subsystem it complains that nobody is listening I did audit_set_pid(....getpid...) - no (passes the pid of the manager thread) I did audit_set_pid(....gettid...) - no (passes the pid of the LWP) (I dont really mean I did gettid - I did syscall(_NR_gettid)) I can see in the complaint message that I have given it the pid I intended to. I can see in gdb that my LWP id is the same as the one I send to the audit subsystem - ie gettid worked. Is this a known issue? Heres the code snippet void listen() { // register for events pid_t mytid = (pid_t)syscall(__NR_gettid); int res = audit_set_pid(m_auditFD, mytid, WAIT_YES); res = audit_set_enabled(m_auditFD, 1); assert(res >= 0); static audit_reply reply; while (true) { res = audit_get_reply(m_auditFD, &reply, GET_REPLY_BLOCKING, 0); if (res < 0) { printf("exit audit %d %d\n", res, errno); break; } printf("got event %.*s\n", reply.msg.nlh.nlmsg_len, reply.msg.data); } } The thread sits waiting on the audit_get_reply call, so the FD is open