Description of problem: It appears that in Linux 2.6.25+ audit messages have a "type=####" field: May 30 17:10:53 cynosure kernel: type=1400 audit(1212189053.613:2458): avc: denied { read } for pid=2045 comm="umount" path="/proc/7352/mounts" dev=proc ino=644101 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:system_r:automount_t:s0 tclass=file The attached patch address that by changing audit.conf to add the possible type= field and to remove a leading "^" from one of the rules. It also handles: Jun 17 10:39:29 pyramid kernel: audit(1213720769.358:5): user pid=1999 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) (add support for the added "-s0:c0.c1023") This has been sent upstream. Version-Release number of selected component (if applicable): logwatch-7.3.6-15.fc8
Created attachment 309801 [details] patch to audit config and script
Fixed in logwatch-7.3.6-24.fc10.