Exclude /usr/libexec/mysqld from audit.rules

ALCON, We have a Centos machine running Centos 6 and it uses mysql. When a standard user operates the system, our /var/log/messages gets filled up with around 2gb of audit data rather quickly. Here is the audit. Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518 pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496 egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" key=(null) I have tried the following: -a exit,never -F path=/usr/libexec/mysqld When using "-F" I noticed in one RHEL forum someone used -F exe= However in CENTOS exe is not a recognized field when using -F We do not wish to audit this data, can someone please help me exclude the audit? V/R Derek Warner – CISSP-ISSEP Information System Security Engineer Riptide Software w- 321-296-0068 x 136 c- 407-716-9223 derek.warner(a)riptidesoftware.com derek.a.warner(a)us.army.mil