Offline configuration - nice summary of Bob's config

[Wieprecht, Karen M.]

 Bob,
>> it didn't look like failed logins on the gnome desktop were
generating events.  I realize this may be particular to RHEL_64, 
>> but I also figured I could just have an outdated package.

Based on my limited exposure to RHEL4 x86_64 and bz 196233,  I was
getting login/logout information with the standard RHEL4U4 kernel, but I
wasn't getting any of the syscall stuff before installing the test
kernel Jason was providing ( http://people.redhat.com/~jbaron/rhel4/ ).
Steve Grubb said that Jason's fix  will be committed in stream U5 build
42.20.   

It sounds like you are having the opposite problem though (getting
syscall stuff but not he login/logout stuff).  This seems odd because
the login/logout stuff is supposed to be built in ...  you aren't
filtering out the login/logout message types by chance are you?  Steve
sent out a sample the other day for someone who asked how to do this
(-a exclude,always -F msgtype>=1100 -F msgtype<=1299 -a exclude,always
-F msgtype>=1400 -F msgtype<=2999).

It could be that you are seeing a different variant of bug bz196233
since you are on FC rather than RHEL, but I would think that if the
syscall stuff is showing up, that you've probably already got a fix in
place for bz196233 ...  

The other thing you might do is to compare the sample capp.rules to your
audit.rules.  When we set up our initial test audit.rules file,  we
tried a few things from the sample capp.rules file, and I recall that
there were a few things you had to uncomment based on whether you were
on 32-bit or 64-bit.   If you have something similar in your
audit.rules, you may need the 64-bit flavor of the rule.   

Good luck,

Karen Wieprecht