Way too many logs!

[Jeremy Leonard]

Here are the rules I'm using:

 -D 
-b 8096 
-a exit,always -S open -F success=0 -k RULE1 
-a exit,always -S unlink -S rmdir -k RULE2 
-w /etc/auditd.conf -k RULE3 
-w /etc/audit.rules -k RULE4 
-a exit,always -S acct -S reboot -S swapon -k RULE5 
-a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6 
-a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 
-a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8 
-a exit,always -S lchown -k RULE9


Here is the output of aureport: 

Summary Report ====================== 
Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266 
Number of changes in configuration: 22 
Number of changes to accounts, groups, or roles: 0 
Number of logins: 0 Number of failed logins: 0 
Number of users: 2 Number of terminals: 4 Number of host names: 2 
Number of executables: 33 Number of files: 693 
Number of AVC denials: 0 Number of MAC events: 0 
Number of failed syscalls: 4052 
Number of anomaly events: 0 
Number of responses to anomaly events: 0 
Number of crypto events: 0 
Number of process IDs: 1428 
Number of events: 1444530 


This is 475mb in ten minutes! 

Here is how the rule hits add up: 

RULE1: 4052 
RULE2: 601 
RULE3: 9 
RULE4: 1 
RULE5: 0 
RULE6: 40 
RULE7: 1438239 
RULE8: 1503 
RULE9: 0 

Here is one of the log entries I have so many of. 

type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0 a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained key="RULE7" 

How can I exclude this so it doesn't get logged? 

The rules I have above are required by the government. DIACAP STIG

Thanks!