On 3/16/21 8:46 PM, Richard Guy Briggs wrote: >> I have run some simple commands in /data that should be logged , e.g. >> touch file, mkdir dir. Finally, I have run auditctl-s and expected to see >> the backlog events counter go up, but it's still 0. If I start auditd >> again, the events are never logged. Am I missing something here? > So, since you haven't indicated if you have tried and tested this > already, please start by running those simple commands while the auditd > service is running and verifying that those commands do get logged as > expected. If they don't, fix that first. I was wondering if the events are delivered to syslog (/var/log/messages) instead while the auditd is down? Mine are, same kernel version 3.10.0. From the kernel perspective, no backlog?. However, if I stop both audit and rsyslog, add some events the backlog count doesn't increase and I can't see where the events may have been delivered. LCB -- Lenny Bruzenak MagitekLTD