^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
-type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=7 a1=[[:xdigit:]]+ a2=[[:digit:]]+ a3=[[:xdigit:]]+ items=0 ppid=4470 pid=[[:digit:]]+ auid=[[:digit:]]+ uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$
+type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:digit:]]+ a1=[[:xdigit:]]+ a2=[[:digit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$