On Friday 22 December 2006 11:22, Wieprecht, Karen M. wrote: > So you still need a watch on the file in order to collect get audit events > to be generated in the event of file access failures, is that correct? That entirely depends on the rule. If you are using possible, yes. If your rules are always/never or a watch then you should be ok. -Steve