Hi All, I'm working on a system that needs a realtime process creation tool (using C programming), getting the pid ppid and path of the process. I've been trying to use the audit subsystem to do this, but no matter which way I tried, so far I hadn't been successful. I've tried these for task creation: - auditctl -a entry,always -S fork -S vfork -S clone This way I can't know the pid of the new process, just the caller; - auditctl -a entry,always -S brk -F 'a0=0' This way works most of the time, but creates duplicated entries; - auditctl -a task,always With this I get _a lot_ of garbage, and it's too CPU consuming to process the output; And this for task destruction: - auditctl -a entry,always -S exit -S exit_group Works most of the time, but doesn't catch "killall sshd" (doesn't get the "sshd is dying" part). Can anybody help me with these? Thanks in advance. Cheers, Bruno Gustavo Wallauer