> Hello friendly audit people,
>
> I have a pretty simple question which I hope has a pretty simple answer.  Is
> it possible to exclude a specific audit message type from the audit log?  The
> auditctl man page looks like it might be possible using the syntax below but
> I'm not sure ...
>
>  # auditctl -a exclude,always -F msgtype=1415
>

yes, this is correct, but you may want to consider using the (usually more meaningful) message type name instead:

# auditctl -a exclude,always -F msgtype=1112
or
# auditctl -a exclude,always -F msgtype=USER_LOGIN

Klaus

--
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]