I am trying to use a vanilla kernel from kernel.org version 2.6.12 and 2.6.16 with the audit daemon version 1.0.14.  I am using ubuntu, so I have used alien to convert the redhat binary packages for an x86_64 architecture into *.deb files.  I can install the deb files and the audit daemon runs, but it has trouble parsing the audit.rules file.  The error I am getting is "Error sending insert watch request (Invalid Argument)."

Please help.  I have a requirement to use these two kernel versions, and unfortunately can't use redhat, fedora, or their kernel binaries.  I have recompiled my kernel with auditing turned on.  I can look in the audit.log file and see events being written there when I start and stop the daemon, so I know the daemon works.  I just need to know how to parse the log file correctly.  Also when you bypass the log file and just use auditctl -w <file to watch>, the same error is returned.

Thanks in advance.

Kevin Boyce
kevin.boyce@ngc.com