-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, In RHEL5.2 auditing worked fine for me auid was set to the user's uid and id was set to whatever it happened to be at the time. In RHEL5.4 auid got set to the 'anon' value. In RHEL5.5 auid gets set to '0' but uid is logged in original su entries. Any idea what happened? This makes it very difficult to capture su events where the user used to be something other than 0 without capturing a ton of other garbage as well (unless someone has an elegant solution for that). Thanks, Trevor