I am trying to log changes to a file system using auditd, but I am seeing also many other things being logged, for example all failed SSH logging attempts (USER_AUTH and USER_LOGIN events). How can I prevent them from being logged? When I do auditctl -l I see only the path watching rules and no other rules.
For things you don't want in the audit logs, you can add them to an exclude filter. So if you want to exclude logins, you can do
will stop logging of all logins, successful or not. For more information about how to create these rules, see the man page for auditctl.
However, you might simply use
aureportto search for the logs you do want, instead of blocking the ones you don't.I think you will find these events coming out of the pam system. Perhaps there is an option in pam that prevents it from auditing.