I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.

Here is the rule I setup:

auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch

when I search the logs using

ausearch -k raven-pubhtmlwatch

I get thousands of lines of logs that list everything under public_html/

How can I limit the rule to changes on the directory specified only?

Thank you very much.