What we do not know is - do you have any filtering criteria in mind not
covered by the available auditctl exclusions or do you just want to
"sample" randomly?
If the latter, why bother auditing this with a rule at all? You might be
able to remove the rule causing the events and do something in userspace
to audit only what you really want.
We want to sample system calls like rename.
In many cases, we have seen this overburden and increase auditd cpu consumption.
In such cases, we want to drop some events randomly, so as to keep cpu consumption under control.
There are other rules also, for example monitoring login/logout.
For such rules we do not want to drop any event.
--