Hi Steve,

thanks for your assistance,

> For RHEL5, I know its enabled. But based on your questions above, you are
> asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these,
>
> # cat /proc/cmdline
>
> and
>
> # cat /proc/self/loginuid
>
> would let you check. In the first, make sure audit=1 is there and in the second
> case, the output should be the uid under which you logged into the system.
>
> -Steve

    [root@test /root]# cat /proc/cmdline
    ro root=LABEL=/ audit=1 rhgb quiet

    [root@test /root]# cat /proc/self/loginuid
    0


To narrow the circle;

we have some linux servers and a central log collector system. we are 
sending audit logs to this log system. this log collector system can 
parse such logs but this system confused at lines with "auid=4294967295" 
in audit logs.

i have tried everything but still this lines are coming:

    type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
    auid=4294967295 msg='PAM: accounting acct="root" :
    exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
    type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
    auid=4294967295 msg='PAM: setcred acct="root" :
    exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

and

    [root@test /root]# cat /etc/pam.d/crond
    #
    # The PAM configuration file for the cron daemon
    #
    #
    session    required     pam_loginuid.so
    auth       required     pam_unix.so
    auth       required     pam_nologin.so
    account    required     pam_unix.so
    password   required     pam_unix.so
    session    required     pam_unix.so

so is there any other hints or what can i do esle?