Physically dragging the thread back on topic...
I really am going crazy, trying to deal with the hourly logs from the loghost. We've got 170+ servers and workstations... but a *very* large percentage of what's showing up is from his bloody new fedora 22, with its idiot systemd logging of *ever* selinux message to /var/log/messages.
I tried creating a rule, /etc/rsyslog.d/audit.conf, that reads:
if $msg contains "audit" and $msg,contains,'res=success' then -
but that seemed to send *everything* to /dev/null. That was my best guess, based on googling (yahooing?) and man pages. Can anyone tell me what's wrong with that syntax?
mark