On Tue, Oct 4, 2016 at 10:58 AM, leam hall <leamhall@gmail.com> wrote:
Sort of a followup question. I'm surprised adding "audit.none" to the "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think audit was a full "facility" in whatever rsyslog looks at. Am I more confused than normal?

It's not. If you look at your main log you should see a message from rsyslogd saying something like "unknown facility 'audit'".