Hello all: I have a requirement to audit/log all failed attempts to access files. I entered the following line in audit.rules: -w exit,always -S open -F success!=0 and audit flags all file exits regardless of success. When I try: -w exit,possible -S open -F success!=0 it does NOT flag any file openings, including failure. I am curious if: -w exit,never -S open -F success=0 but I suspect that the 'first hit takes it' nature of audit-1.0.12 will make the flag at the end useless. So I suppose the question is - do I need to put the -F flag before the -w portion of the entry, or is there some other way to meet the requirement? Thank you all for any insight.