Re: Excluding certain audit message types?

> Hello friendly audit people, > > I have a pretty simple question which I hope has a pretty simple answer. > Is it possible to exclude a specific audit message type from the audit > log? The auditctl man page looks like it might be possible using the > syntax below but I'm not sure ... > > # auditctl -a exclude,always -F msgtype=1415 yes, this is correct, but you may want to consider using the (usually more meaningful) message type name instead: # auditctl -a exclude,always -F msgtype=1112 or # auditctl -a exclude,always -F msgtype=USER_LOGIN