diff --git a/templates/etc/audit/rules.d/collection.rules.j2 b/templates/etc/audit/rules.d/collection.rules.j2
index 34fd9f9..04559f5 100644
--- a/templates/etc/audit/rules.d/collection.rules.j2
+++ b/templates/etc/audit/rules.d/collection.rules.j2
@@ -3,6 +3,7 @@
 
 -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
 -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
+-a always,exit -F arch=b32 -S stime -F key=audit_time_rule
 -w /etc/localtime -p wa -k time-change
 
 ## Records when events occur that modify user and group passwords and ID's