Hello, According to this [1] and the definition of the res field here [2], the res field should have a value of either success or fail. Here are some logs I generated on Debian: type=USER_START msg=audit(1464013671.525:405): pid=3569 uid=0 auid=1000 ses=7 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add rule" key=(null) list=4 res=1 type=USER_END msg=audit(1464013671.549:407): pid=3569 uid=0 auid=1000 ses=7 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success’ As you can see, there is a res field which value is 1. Is it because my auditd is outdated? Is there a missing res field which is purely numeric (just like the fields called fp [3])? As Steve said in previous emails, it is possible and it might be fixed already. I’ll try to find out if I get similar logs with the latest auditd (2.6.5) on CentOS 6.8-i386 later. Cheers! -m [1]: https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4ca... <https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4ca... [2]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fiel... <https://github.com/linux-audit/audit-documentation/blob/master/specs/fiel... [3]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fiel... <https://github.com/linux-audit/audit-documentation/blob/master/specs/fiel...