Linux.com

I'm running auditd service on my RHEL 4 WS 64bit and when users access files I attempt to monitor it the logs (using the GUI LINUX Built-in SYSTEM LOGS utility) they do not reflect user access. Below are my .rules and .conf files (any thoughts)? I have verified auditd service is enabled and running.

audit.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
#dispatcher = /sbin/audispd
#disp_qos = lossy
max_log_file = 50
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events
# Make this bigger for busy systems
# Feel free to add below this line. See auditctl man page

# Increase the buffers to survive stress events
-b 256
-w /etc/audit/audit.conf -p wa -k LOG_conf
-w /etc/ -p wa
#-w /var/log -p wa
-w /etc/audit/audit.conf -p wa -k LOG_conf
#

Any clues? Should I be using the SYSTEM LOG utility to see if these files and directories are being written or appended too?

Take care,
Johnny Mac