On Fri, 21 Apr 2006 19:44:55 EDT, Steve Grubb said:
-a always,exclude -F msgtype=EXECVE
Problem Solved (tm).
Damn, I read the patch over like 3 times, and didn't twig into it using
AUDIT_EXECVE (1309) - I managed to convince myself this was an expansion of the
record cut for the execve under AUDIT_SYSCALL (1300).
<mode="Emily Litella">
Nevermind...
</mode>
:)