diff --git a/audit.spec b/audit.spec
index adfd1371ee3126bfb452895e339dececfffe82db..3e8f9ef8ad828bb5af96705fff50e136bf3c13a1 100644
--- a/audit.spec
+++ b/audit.spec
@@ -4,7 +4,7 @@ Summary:            User space tools for kernel auditing
 Name:               audit
 Epoch:              1
 Version:            3.0
-Release:            13
+Release:            14
 License:            GPLv2+ and LGPLv2+
 URL:                https://people.redhat.com/sgrubb/audit/
 Source0:            https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@@ -66,6 +66,7 @@ Patch52:            backport-Cleanup-code-in-LRU.patch
 Patch53:            backport-Fix-memory-leaks.patch
 Patch54:            backport-fix-one-more-leak.patch
 Patch55:            backport-Correct-output-when-displaying-rules-with-exe-path-d.patch 
+Patch56:            backport-ausearch-format-Fix-display-of-renamed-file-411.patch
 
 BuildRequires:      gcc swig libtool systemd kernel-headers >= 2.6.29
 BuildRequires:      openldap-devel krb5-devel libcap-ng-devel
@@ -418,6 +419,9 @@ fi
 %attr(644,root,root) %{_mandir}/man8/*.8.gz
 
 %changelog
+* Wed Dec 11 2024 wangjiang <app@cameyan.coom> - 1:3.0-14
+- backport patches to fix bug
+
 * Sat Aug 24 2024 xuraoqing <xuraoqing@huawei.com> - 1:3.0-13
 - backport patches to fix bug
 
diff --git a/backport-ausearch-format-Fix-display-of-renamed-file-411.patch b/backport-ausearch-format-Fix-display-of-renamed-file-411.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e7d2cfd158f79a7d735ec3b090055642ab7c56b8
--- /dev/null
+++ b/backport-ausearch-format-Fix-display-of-renamed-file-411.patch
@@ -0,0 +1,48 @@
+From 7cdcfd30c6122acc6b2e54e1ad8cd1a12dd537d2 Mon Sep 17 00:00:00 2001
+From: Attila Lakatos <Cropi@users.noreply.github.com>
+Date: Mon, 21 Oct 2024 04:25:37 +0200
+Subject: [PATCH] ausearch format: Fix display of renamed file (#411)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+In some cases, ausearch was not correctly showing
+the new name of a renamed file when searching for
+audit events. If the target file didn’t exist prior
+to the rename, ausearch was unable to parse the new
+file name. This occurred because ausearch attempted
+to retrieve this information from the 7th record,
+which is absent when the target file does not exist.
+---
+ auparse/normalize.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+ 
+diff --git a/auparse/normalize.c b/auparse/normalize.c
+index 036c0b86..f1a07d18 100644
+--- a/auparse/normalize.c
++++ b/auparse/normalize.c
+@@ -693,7 +693,20 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
+ 		case NORM_FILE_RENAME:
+ 			act = "renamed";
+ 			D.thing.what = NORM_WHAT_FILE; // this gets overridden
+-			set_prime_object2(au, "name", 4);
++			/* A sucessfull syscall from the rename family will provide
++			 * the following items:
++			 *  0 - new dir, in which the file will be located
++			 *  1 - old dir, in which the file was located
++			 *  2 - old name, the name of the original file
++			 * 	if the file was already present in the new dir:
++			 *   3 - removal of the new file
++			 *   4 - creation of the new file
++			 *  otherwise:
++			 *  3 - creation of the new file
++			 */
++
++			// The 3rd record will always contain the name of the new file
++			set_prime_object2(au, "name", 3);
+ 			set_file_object(au, 2); // Thing renamed is 2 after
+ 			simple_file_attr(au);
+ 			break;
+-- 
+2.33.0
+