We have a Centos machine running Centos 6 and it uses mysql. When a standard user operates the system, our /var/log/messages gets filled up with around 2gb of audit data rather quickly. Here is the audit.

Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518 pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496 egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" key=(null)

I have tried the following:

-a exit,never -F path=/usr/libexec/mysqld

When using "-F" I noticed in one RHEL forum someone used -F exe=

However in CENTOS exe is not a recognized field when using -F

We do not wish to audit this data, can someone please help me exclude the audit?

V/R