Using audit to track system changes, with rules from the CIS security guidelines.
This server also has Splunk running on it, this creates lots of changes that are reflected in the audit log files, so much so that the audit logs are being rotated every few minutes, causing several issue, one being that audit ceasing auditing while log files are being rotated.
I thought it would be an easy job to exclude /u00/splunk/var (the source from where audit is generating the logs) by adding an exclude to audit.rules but I have tried several things all with zero success.
-W never,exit -F path=/u00/splunk/var
-w never,exit -F path=/u00/splunk/var
-a never,exit -F path=/u00/splunk/var