if $programname == 'audit' and $msg contains 'addr=127.0.0.1' then stopI don't want to stop all messages from audit since some may be useful. And most of my dovecot logins come from webmail on localhost. Of course, your situation may vary. This needs to be near the stop of /etc/rsyslog.conf ... before any mention of /var/log/messages
Computer Tips - Linux: How can I avoid the excessive messages in /var/log/messages from dovecot like this: audit: USER_ACCT pid=21508 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="user" exe="/usr/libexec/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot res=success'
Date: 2016jan12
OS: Linux
Q. Linux: How can I avoid the excessive messages in /var/log/messages from dovecot like this: audit: USER_ACCT pid=21508 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="<user>" exe="/usr/libexec/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot res=success'
A. It would be better if there was an option to turn it off.
But for now, I have added a filter to /etc/rsyslog.conf: