I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.

[root@foo ~]# aureport -f --summary | head -10

File Summary Report
===========================
total  file
===========================
136065  /var/run/utmp
5283  /etc/symc-defutils.conf
795  /home/fsotest/.gconf/apps/puplet/
662  /usr/include/linux/
599  /dev/null
[root@foo ~]# auditctl -l | grep utmp
[root@foo ~]# auditctl -a exit,never -w /var/run/utmp
[root@foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root@foo ~]#

What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?