<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000066" bgcolor="#FFFFCC"> Hi Steve, thanks for your assistance, <blockquote cite="mid:2247361.QvknK8CF0u@x2" type="cite"> <pre wrap=""> For RHEL5, I know its enabled. But based on your questions above, you are asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these, # cat /proc/cmdline and # cat /proc/self/loginuid would let you check. In the first, make sure audit=1 is there and in the second case, the output should be the uid under which you logged into the system. -Steve </pre> </blockquote> <blockquote>[root@test /root]# cat /proc/cmdline ro root=LABEL=/ audit=1 rhgb quiet [root@test /root]# cat /proc/self/loginuid 0</blockquote> To narrow the circle; we have some linux servers and a central log collector system. we are sending audit logs to this log system. this log collector system can parse such logs but this system confused at lines with "auid=4294967295" in audit logs. i have tried everything but still this lines are coming: <blockquote>type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' </blockquote> and <blockquote>[root@test /root]# cat /etc/pam.d/crond # # The PAM configuration file for the cron daemon # # session required pam_loginuid.so auth required pam_unix.so auth required pam_nologin.so account required pam_unix.so password required pam_unix.so session required pam_unix.so </blockquote> so is there any other hints or what can i do esle? </body> </html>