On Tuesday 17 July 2007 10:05:12 Roger Holm wrote: > I want to log if someone uses the rpm command (to install/upgrade > packages), but not the rest of commands. Only the rpm command! Sure: -w /bin/rpm -p x -k rpm-is-running I added the key to make searching for the results easier. It also helps you know why the audit record was logged. -Steve