On Thursday 03 May 2007 10:00, Robert Evans wrote: > In doing some testing with the last audit module (testing on FC5) I found > the following behavior > > 1. login and logout events recorded from GDM login > 2. login and logout events recorded from su > 3. login events recorded from ssh connections, no logout events (USER_END) > logged. Login is marked by the USER_LOGIN event. There should be a USER_START event that identifies the beginning of the session. A USER_END event denotes the end of the session. So, for "su"...you should see a session begin, not a login. > Is there something I need to do to catch these ssh disconnects? Update openssh. This was a bug in that the logging of this event was done from a place where not enough privileges existed. I think 4.3p2-13 has the fix for it. -Steve