Hello, We have setup the audit log on a Redhat linux 7.3 machine We have setup various rules, so far successfully. Our last requirement is to have audit log, when a user execute the su - or su - root, or sudo su I write the following rule , but it does not work -a always,exit -S su -F auid>=200 -F auid!=4294967295 -F key=su-execution How can I audit log the execution of the su command? Best regards Maria -- **