Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - In CRYPTO_KEY_USER events, do not interpret the 'fp' field - Change formatting of rules listing in auditctl to look like audit.rules - Change auditctl to do all netlink comm and then print rules - Add a debug option to ausearch to find skipped events - Parse subject, auid, and ses in LOGIN events (3.14 kernel changed format) - In auditd, when shifting logs, ignore the num_logs setting (#950158) - Allow passing a directory as the input file for ausearch/report (LC Bruzenak) - Interpret syscall fields in SECCOMP events - Increase a couple buffers to handle longer input This release cleans up parsing and interpreting a couple events. There is now a --debug option to ausearch which will output to stderr any events that ausearch cannot parse correctly. If anyone finds events using this option, I'd really like to hear about it. A big change in this release is that listing rules with auditctl now formats the output to look like audit.rules. One other feature to call out is that when aureport/search is passed a file using the -if option, you can now pass a directory which will allow searching multiple files. The files still need to have the same numbering scheme that is currently expected. Thanks goes to Lenny Bruzenak for this. Please let me know if you run across any problems with this release. -Steve