On Thursday 16 March 2006 14:59, Debora Velarde wrote: > Why do we need more than just "pid=200"? You already know that it was > auditd by the "auditd start" in the log. In this particular case, it might not be needed. But in general, its to provide some context to the human that is reading it. I see it as supplemental information. -Steve