I need to configure auditing for certification reasons, but I'd like to cut down on wasted disk space by ignoring known "chatter". On a newly installed Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds, which fills the log files. I'd like to ignore these, but my first attempt doesn't seem to work. I'm admittedly a novice at configuring auditd. [root@foo ~]# aureport -f --summary | head -10 File Summary Report =========================== total file =========================== 136065 /var/run/utmp 5283 /etc/symc-defutils.conf 795 /home/fsotest/.gconf/apps/puplet/ 662 /usr/include/linux/ 599 /dev/null [root@foo ~]# auditctl -l | grep utmp [root@foo ~]# auditctl -a exit,never -w /var/run/utmp [root@foo ~]# auditctl -l | grep utmp LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa [root@foo ~]# What would be the proper syntax to get auditctl to ignore the open attempts to /var/run/utmp?