Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - When ausearch is interpretting, output "as is" if no = is found - Correct socket setup in remote logging - Adjusted a couple default settings for remote logging and init script - Audispd was not marking restarted plugins as active - Audisp-remote should keep a capability if local_port < 1024 - When audispd restarts plugin, send event in its preferred format - In audisp-remote, make all I/O asynchronous - In audisp-remote, add sigusr1 handler to dump internal state - Fix autrace to use correct syscalls on s390 and s390x systems - Add shutdown syscall to remote logging teardowns - Correct autrace rule for 32 bits systems The main focus of this release is making the remote logging more robust. We found and fixed several problems related to all aspects of remote logging. Audispd was not marking restarted plugins as active and even when it did that, it sent the plugin data in the non-string format the first time which generally results in missed events. There was a problem where we dropped all privs in the remote plugin, but if the port was privileged, reconnecting on a broken connection would fail. A sigusr1 handler was added so that you can make the remote logging plugin dump some info about its internal state for troubleshooting. Aside from that, there was a little work on autrace to correct i386/686 and s390's so that it works as intended. Please let me know if you run across any problems with this release. -Steve