Hello, I write you because i do not know how to go further without solving my problem. When a user switches from username to root using sudo su - this action is audited by LAF but since that change the user-id in the LAF logfile is 0 for root user. If my user uses chmod afterwords to change file permissions i can not see which user did the change because user-id is 0 and the auditid is always 4294967295. Can you tell me how it is possible to trace the user after switching to root ?? Thanks in advance, Jan