I have setup a watch on specific directories for changes so we can report to our auditors about deployments being done by the proper staff members. So for example -w /root/test -p ra -k test. If I copied / removed a file in that directory, I would get audit results similar to the following: [root@localhost test]# ausearch -k test --format text -ts recent At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm This worked fine in CentOS 7 and CentOS 8 (not stream). Testing with CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 also worked until I updated the audit package [root@localhost test]# dnf list installed audit Installed Packages audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda [root@localhost test]# ausearch -k test --format text -ts recent At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm [root@localhost test]# dnf list audit CentOS Stream 8 - AppStream                     7.7 MB/s |  20 MB     00:02 CentOS Stream 8 - BaseOS                        9.5 MB/s |  19 MB     00:02 CentOS Stream 8 - Extras                         52 kB/s |  18 kB     00:00 Installed Packages audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda Available Packages audit.x86_64              3.0.7-1.el8                                  baseos After Upgrade:[root@localhost test]# auditctl -l No rules [root@localhost test]# auditctl -w /root/test -p wa -k test [root@localhost test]# cp /etc/hosts . [root@localhost test]# rm hosts rm: remove regular file 'hosts'? y [root@localhost test]# ausearch -k test --format text -ts recent At 14:10:55 02/28/2022 root successfully opened-file  using /usr/bin/cp At 14:11:37 02/28/2022 root successfully deleted  using /usr/bin/rm At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl At 14:14:23 02/28/2022 root successfully opened-file  using /usr/bin/cp At 14:14:30 02/28/2022 root successfully deleted  using /usr/bin/rm [root@localhost test]# Notice no information on what file was copied / removed? Even the earlier log entries don't show what file was copied / removed. If I downgrade to audit 3.0-0.17, everything is there. Is there another way to monitor a directory so we know which files were modified / removed?