----- Original Message ----- > So my question is why normal users audit event logs cant be captured > as a "type=USER_TTY" , where as root logs can be captured > similarway. USER_TTY is sent by the process that accepts the keyboard input. Unprivileged users are not allowed to send audit records (otherwise they would be able to fill the queue and/or the log partition, causing a DoS), so the USER_TTY record is discarded.
Even for unprivileged users you should have the type=TTY records, although they are noticeably more difficult to interpret. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit