Sort of a followup question. I'm surprised adding "audit.none" to the "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think audit was a full "facility" in whatever rsyslog looks at. Am I more confused than normal?
It's not. If you look at your main log you should see a message from rsyslogd saying something like "unknown facility 'audit'".