From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: suppress log entries, how?
Date: Wed, 01 Oct 2014 09:55:03 -0400
Message-ID: <6421385.TZeqm9ltpr@x2>
References: <83161eeb858a1d542226038851db7789@zbfmail.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <83161eeb858a1d542226038851db7789@zbfmail.de>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, weber@zbfmail.de
List-Id: linux-audit@redhat.com

On Wednesday, October 01, 2014 08:46:18 AM Marko Weber | 8000 wrote:
> good morning list,
> 
> i installed auditd on my gentoo server.
> installation runs without error, but on start i get this:
> 
> # /etc/init.d/auditd start
>   * Starting auditd ...
> 
>                                                [ ok ]
> touch: cannot touch '/var/lock/subsys/auditd': No such file or directory
>   * Loading audit rules from /etc/audit/audit.rules
> 
> seems /var/lock/ `subsys/auditd` is missing.
> that was easy to fix, but has to be repeated after every reboot.
> 
> 
> in auditd.log i get entries like this:
> 
> type=NETFILTER_CFG msg=audit(1412022284.553:2446): table=mangle family=2
> entries=6
> type=SYSCALL msg=audit(1412022284.553:2446): arch=c000003e syscall=54
> success=yes exit=0 a0=4 a1=0 a2=40 a3=1144850 items=0 ppid=2070 pid=2130
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi"
> key=(null)
> 
> i want to suppress these messages.
> in my understanding of the man page i have to put such a rule into
> audit.rules:
> 
> -a exclude,never -F msgtype=NETFILTER_CFG , but this isnt working. the
> messages still appears.

Note that this says "never exclude"  :-)  I think you want -a exclude,always. 
Give that a try.

-Steve