Hello, On Tuesday, October 10, 2023 11:53:06 AM EDT Rinat Gadelshin wrote: > Could I ask your help with the plugin? The mail list might get a faster response. I sometimes get busy. > I try to check it by the following way on my Ubuntu 20.04: > > - `systemctl stop auditd` > - set 'active' parameter to 'yes' (file /etc/audisp/plugins.d/af_unix.conf) > - `systecmtl start auditd` > - `systemctl status auditd` shows that the service is running. > - `auditctl -w /tmp/delme` > - `auditctl -l` shows that the rule has been successfully added. > - `ls -l /var/run/audispd_events` prints "srwxr-xr-x 1 root root 0 okt > 10 18:38 /var/run/audispd_events" > - launch `nc -Ul /var/run/audispd_events` in another terminal > - `echo 1 > /tmp/delme` > > Expected result: `nc` has received some audit events for the file. > Actual result: `nc` has received nothing. nc -U --recv-only /var/run/audispd_events > Can you tell me what I did wrong? See above. -Steve