The aureport command has two options that limit the list of displayed events to those that were successful and those that failed. Per the man page: --failed Only select failed events for processing in the reports. The default is both success and failed events. --success Only select successful events for processing in the reports. The default is both success and failed events. What does this mean? Is the failure/success with regard to the actual event (e.g., a syscall that returned non-zero) or does the failure/success apply to auditd and whether or not there was an issue in processing the event?