hello.
I would like to write a rule to exclude this two kind of log in /var/log/audit/audit.log :
type=SERVICE_START msg=audit(1409313085.765:9015): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="mysqld@2" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1409313085.765:9016): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="mysqld@2" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I have try these :
-a exclude,always -F auid=4294967295
-a exclude,always -F msgtype=SERVICE_START -F auid=4294967295
-a exclude,always -F msgtype=SERVICE_STOP -F auid=4294967295
-a exclude,always -S all -F uid=0 -F auid=4294967295
-a exit,never -S all -F uid=0 -F auid=4294967295
Depending of the rules I tried, I got
1°) no success, because the logs continue to show the unwanted message
or
2°)
Only msgtype field can be used with exclude filter
There was an error in line 14 of /etc/audit/audit.rules
Any help is welcome