On Thursday 20 October 2005 10:42, Rob Myers wrote: Yes...but...what I did was instrument login and gdm with a new message type that sends the login information. These are already in rawhide. These patches will be carried over to RHEL4 for U3. I will also be patching sshd. A new message type was used because its hard to tell that the intent of a session open is because of a login. This is what it looks like: Login Summary Report ======================================= # auid host term exe success date event ======================================= 1. 0 ? tty1 /bin/login yes 10/20/05 64 2. 0 ? tty1 /bin/login yes 10/20/05 63 3. 4325 localhost :0 /usr/sbin/gdm-binary yes 10/20/05 75 This line has already changed since last night. Its: tv = localtime(&l->e.sec); strftime(date, sizeof(date), "%x %X", tv); printf("%u. %lu %s %s %s\n", line_item, l->e.serial, audit_msg_type_to_name(l->head->type), aulookup_uid(l->s.loginuid, name, sizeof(name)), date); So, that should produce lines like this: Event Summary Report =========================== # event type auid date time =========================== 1. 97 USER_AUTH 4325 10/20/05 10:54:28 2. 98 USER_ACCT 4325 10/20/05 10:54:28 3. 99 USER_START 4325 10/20/05 10:54:28 4. 100 CRED_ACQ 4325 10/20/05 10:54:28 5. 101 AVC -1 10/20/05 10:54:59 Thanks for the feedback. -Steve