a coworker suggested i change max_log_file_action to KEEP_LOGS instead of ROTATE in /etc/audit/auditd.conf. this did the trick. auditd was generating too many logs and activating log rotation. i ran a test after the change and the lower ports that did not show up previously, showed up in the logs thanks, yah