I have written my own version of aureport. It is still buggy etc, but it does already provide something interesting. For example, it can show command lines. It takes something in the log like: uid=1000 euid=0 argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx" uid = 0 euid=0 argc=4 a0="cp" a1="qwerty" a2="/etc/xxx" and puts out: uid euid command --- ---- ------- 1000 0 sudo cp qwerty /etc/xxx 0 0 cp qwerty /etc/xxx which is interesting. My question is whether I could have done something like this with aureport. (This is part of a much bigger question as to how audit can be used to meet PCI requirements.) Thanks - Michael ----------------