I appreciate all the helpful comments on my look at auditd. To see what I can do now with audit 0.6, I tried one rule similar to requirements I've mentioned, one failed attempt to trigger an auditd response, and looked at the output to see the feasibility of filtering the output: Using audit-0.6, my single rule is (from /sbin/audtctl -l): AUDIT_LIST: exit always uid=507 (0x1fb) syscall=unlink The failed attempt to be logged was: % rm /etc/passwd The two messages generated in audit.log were: type=KERNEL msg=audit(1105106227.435:12373636): item=0 name=/etc/passwd \ inode=5079041 dev=00:00-l inode=3080372 dev=00:00loginuid=-1 \ uid=507 gid=503 euid=507 suid=507 fsuid=507 egid=503 sgid=503 fsgid=50333gid=503 type=KERNEL msg=audit(1105106227.435:12373636): syscall=10 exit=4294967283 \ a0=bff86b22 a1=0 a2=80505e4 a3=bff86b22 items=1 pid=6137 loginuid=-1 \ uid=507 gid=503 euid=507 suid=507 fsuid=507 egid=503 sgid=503 fsgid=503503 Notice that I can get the file name, the system call, and the exit status of unlink (but I suspect the print format for the exit code is %u instead of %d, thus the apparent large number probably from a negative exit code). But do there have to be two messages? Having one would enable easy querying (assuming I can parse on exit != 0), otherwise a little more difficult (can I assume the messages always come in matching, adjacent pairs?). To sum up, I believe I can write a perl parser to do what I need now (assuming the exit code is correct), even though the message traffic is so high. As autitd's rule capability gets more sophisticated, the message traffic should decrease immensely. I also will write a perl script to perform as my manual rule loader until auditd has its own. Thanks. -Tom Browder