Hello steve, The value of "acct=" which is not in double quotation, cannot be right gotten. The log is: type=USER_CHAUTHTOK msg=audit(1167580800.033:178653): user pid=23192 uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user acct=aulog exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/6 res=success)' Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com&gt; --- src/ausearch-parse.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c index d9c305a..b80b984 100644 --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c @@ -791,13 +791,12 @@ static int parse_user(const lnode *n, search_items *s) *term = saved; } else { /* Handle legacy accts */ - char *end = term; + char *end = ptr; int legacy = 0; while (*end != ' ') { if (!isxdigit(*end)) { legacy = 1; - break; } end++; } -- 1.5.3 -- Regards Peng Haitao