Question : Supressing auditd rotation from /var/log/messages

We are required to have SELinux enabled, but does anyone know how to suppress these (annoying) type of auditd messages from being placed in /var/log/messages? We get several hundred a day and since we are running syslog-ng on a central server (copy of the /var/log/messages on several servers), these message types are just filling up the audit logs repository.

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13:

Apr 29 14:29:43 MYSERVER auditd[1992]: Audit daemon rotating log files Apr 29 14:30:14 MYSERVER last message repeated 4 times Apr 29 14:31:21 MYSERVER last message repeated 8 times Apr 29 14:32:28 MYSERVER last message repeated 8 times Apr 29 14:33:29 MYSERVER last message repeated 8 times Apr 29 15:07:54 MYSERVER last message repeated 2 times May 12 14:35:01 MYSERVER auditd[1992]: Audit daemon rotating log files May 12 15:28:13 MYSERVER auditd[1992]: Audit daemon rotating log files May 12 16:21:38 MYSERVER auditd[1992]: Audit daemon rotating log files May 12 17:18:37 MYSERVER auditd[1992]: Audit daemon rotating log files May 12 18:09:32 MYSERVER auditd[1992]: Audit daemon rotating log files May 12 19:02:57 MYSERVER auditd[1992]: Audit daemon rotating log files May 12 19:56:22 MYSERVER auditd[1992]: Audit daemon rotating log files

Answer : Supressing auditd rotation from /var/log/messages

Syslog-ng doesn't like that above statement. In fact, it dropped all messages from being displayed.

So I did a little hack to the code using your train of thought and making separate filters and applying it before writing it to the logs.

1: 2: 3: 4: 5: 6: 7: 8: 9: 10:

filter M_audit { not match("Audit daemon rotating log files"); }; filter M_repeat { not match("last message repeated"); }; filter M_queue { not match("queue is full"); }; log { source(s_general); filter(M_audit); filter(M_repeat); filter(M_queue); destination(d_general); };