Using the auditd decoder (auditd-syscall), with the following rule file:
<group name="syslog,">
<rule id="1111111" level="7">
<decoded_as>auditd</decoded_as>
<match>FOO</match>
</rule>
</group>
ALWAYS gives me at least one additional audit entry in the alert.
This frequently pukes with rule 1003 non standard syslog message size too large.
I want to match any message in audit.log that contains the (audit key) key=FOO, and absolutely nothing else.
Why am I getting at least 1 additional audit entry in this log, when it should only be the syscall entry?