Hi All, I have some disk less workstations upon which I wish to collect audit. Once a workstation is running, I periodically transmit audit in compressed batches of enriched audit (i.e. "ausearch -i" output is sent). My question is: To collect AND transmit audit until the last possible moment, is the logical place to perform the last collection and transmission operation within the 'stop' function of /etc/init.d/auditd ? The enrichment (calling ausearch -i) rules out syslog. Thanks in advance Burn