Description of problem: As of the audit 1.2.7-3.fc5 update, and with -4.fc5, audit messages are going to /var/log/messages instead of /var/log/audit/audit.log as before. /etc/auditd.conf is the default: # # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 4 #dispatcher = /sbin/audispd disp_qos = lossy max_log_file = 5 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND Version-Release number of selected component (if applicable): audit-1.2.7-4.fc5
The -3 release was broken. -4 should work fine. Is the audit daemon running? Do you have any message in syslog?
Looks like the -3 release killed the audit daemon, and -4 didn't restart it. Started it and everything looks good.