I was surprised that reporting requires a few steps, namely the process of correlating the event ID with the more verbose logs.

Running auditd reports from cron requires a “–input-logs” flag added to the string (on RHEL system at least). Otherwise, aureport expects stdin as input and provides no output.

This reporting exposed some automated actions that actually modify compiled files. “/opt/application/temp.bin” is changed frequently. Is there any means to exclude specific files in a watched directory from the auditing action?