Question : Supressing auditd rotation from /var/log/messages

We are required to have SELinux enabled, but does anyone know how to suppress these (annoying) type of auditd messages from being placed in /var/log/messages? We get several hundred a day and since we are running syslog-ng on a central server (copy of the /var/log/messages on several servers), these message types are just filling up the audit logs repository.

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
Apr 29 14:29:43 MYSERVER auditd[1992]: Audit daemon rotating log files
Apr 29 14:30:14 MYSERVER last message repeated 4 times
Apr 29 14:31:21 MYSERVER last message repeated 8 times
Apr 29 14:32:28 MYSERVER last message repeated 8 times
Apr 29 14:33:29 MYSERVER last message repeated 8 times
Apr 29 15:07:54 MYSERVER last message repeated 2 times
May 12 14:35:01 MYSERVER auditd[1992]: Audit daemon rotating log files
May 12 15:28:13 MYSERVER auditd[1992]: Audit daemon rotating log files
May 12 16:21:38 MYSERVER auditd[1992]: Audit daemon rotating log files
May 12 17:18:37 MYSERVER auditd[1992]: Audit daemon rotating log files
May 12 18:09:32 MYSERVER auditd[1992]: Audit daemon rotating log files
May 12 19:02:57 MYSERVER auditd[1992]: Audit daemon rotating log files
May 12 19:56:22 MYSERVER auditd[1992]: Audit daemon rotating log files

Answer : Supressing auditd rotation from /var/log/messages

Syslog-ng doesn't like that above statement. In fact, it dropped all messages from being displayed.

So I did a little hack to the code using your train of thought and making separate filters and applying it before writing it to the logs.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
filter M_audit   { not match("Audit daemon rotating log files"); };
filter M_repeat  { not match("last message repeated"); };
filter M_queue   { not match("queue is full"); };

log { source(s_general);
       filter(M_audit);
       filter(M_repeat);
       filter(M_queue);
       destination(d_general);
};
Random Solutions  
 
programming4us programming4us