Steve, thank you for your quick response! Indeed, that's the problem. My copy of PAM is not compiled with audit support. Many thanks, again, Robert   -------- Eredeti levél -------- Feladó: Steve Grubb Dátum: 2019 május 30 14:31:19 Tárgy: Re: Missing login records - Audit functionality in different kernel versions Címzett: linux-audit@redhat.com Hello, On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote: > I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the > audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and > USER_LOGIN record types at all, Only USER_LOGIN types. > > As I understand these records should be there without any rules set. > https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html Yes. These are sent by pam. So, the question would be, is your copy of pam compiled with audit support? ldd /usr/lib64/libpam_misc.so | grep libaudit libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000) > On another server with kernel version 4.9 it works properly. Is there a > possibility that this Audit functionality is not implemented in kernel > version 3.2, or is this just a configuration issue on my side? This should be pam. -Steve > We have too many Debian 3.x production servers to consider kernel upgrade > being an option. > > If it's a kernel issue, could you please recommend any workaround? > Currently I am thinking on parsing the auth.log > > Many thanks, > Robert > > auditd.conf: > log_file = /var/log/audit/audit.log > log_format = RAW > log_group = root > priority_boost = 4 > flush = INCREMENTAL > freq = 20 > num_logs = 4 > disp_qos = lossy > dispatcher = /sbin/audispd > name_format = NONE > ##name = mydomain > max_log_file = 5 > max_log_file_action = ROTATE > space_left = 75 > space_left_action = SYSLOG > action_mail_acct = root > admin_space_left = 50 > admin_space_left_action = SUSPEND > disk_full_action = SUSPEND > disk_error_action = SUSPEND > ##tcp_listen_port = > tcp_listen_queue = 5 > tcp_max_per_addr = 1 > ##tcp_client_ports = 1024-65535 > tcp_client_max_idle = 0 > enable_krb5 = no > krb5_principal = auditd > ##krb5_key_file = /etc/audit/audit.key