However, the kernel audit framework will instead dispatch the audit messages to an audit daemon if one is present;
This is good to know. I am working on the audit daemon and noticed that avc messages usually wind up in syslog *even if* the audit daemon is running. I see "real" audit messages going to /var/log/audit.log and scrolling dbus avc messages in /var/log/messages both at the same time.
Not sure how the kernel decides where to send each of these...but they do go to different places on my machine.
-Steve Grubb
__________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com