/etc/audit/audit.rules has this: # The following rule would cause all of the syscalls listed to be ignored in logging. -a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat -a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat Which means logging is off for most syscalls. This is a big suprise when you do your first audit logging and find you logs alomst empty. Gentoo adds these lines, could these be put under comment per default instead?