I've currently installed RHEL 4 v. 2. I'm trying to assess how to configure the audit daemon to log unsuccessful user access to restricted files. However, I have yet to find any quality documentation on how to configure /etc/audit.rules by hand, or the proper syntax in conjunction with using the auditctl command. If anyone has any experience using RHEL 4 v.2's auditing feature, or can point me in the direction of a quality site that does, I'd be very greatful.

Thanks!