On Wednesday 03 May 2006 13:21, Kirkwood, David A wrote: > I don't see any timestamps on audit events. How can I bracket events > between to dates /times? The ausearch utility was created to view the audit records. It extracts that information from the event. Can you give that a try? ausearch -ts 1:00:00 -i (This also assumes you have the audit daemon running.) -Steve