Updated info on my question. From the original message: I've got auditing running pretty well on Fedora and looks like SuSE as well, but RHEL 4 is giving me some problems. I'm working off of RHEL 4 with the following updated packages: kernel-smp-2.6.9-55.EL.x86_64 kernel-smp-devel-2.6.9-55.EL.x86_64 glibc-kernheaders-2.4_9.1.100.EL.x86_64 audit-libs-1.0.15-3.EL4.x86_64 audit-1.0.15-3.EL4.x86_64 All other packages are at the original RHEL4 distribution level. It turns out I had the audit=1 flag set in /etc/grub.conf. I thought I was supposed to include that, but if I removed that, I saw the login/logout events...so my original problem is resolved. Now I'm back to my old problem of SSH doesn't show logouts. I know that the version on RHEL 4 is too old to generate the logouts, but I don't see a new enough version of packages for openssh on redhat.com. I see newer versions of openssh on openssh.org, but I tried to compile those, and use the sshd daemon in place of the one on the distro, and still no luck on ssh. Are there "magic" flags I need to set if I compile openssh myself, or any special configuration options to have it work with auditd? Thanks again! Bob Evans