Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Make sure time calc is done using localtime - Raise rlimits for file size & cpu usage - Added new disk_error_action config item to auditd.conf - Rework memory management of event buffer - Improved error handling in event logging thread There was also a small goof in the release yesterday where time calculation was done using gmt - which messes up the date if you only provide a time for -ts or -te. It now uses local time. Also, I'm now raising the rlimits for file size to infinity in case an admin is restarting the audit daemon from a shell that has rlimit restrictions. One of the TODO items was to review all errors and make sure everything is handled in the logging path. I reworked the memory management of the logging thread so there's little chance of that being a problem during write. I also got to thinking about disk failures. If the write fails because the hard drive is toast, we now have a new action item to configure. It is the disk_error_action . It only comes into play during a disk write error condition that is not disk full. Let me know if there are any problems... -Steve