On Thursday 09 June 2005 11:13, Timothy R. Chavez wrote: > Have you tried using the syscall (inode,dev)-based filter rules? Files that are deleted and created can have new inode numbers. Examples are rotating audit logs and updating /etc/shadow. -Steve