I have set my auditd rules to log when the system time is changed However, our servers are VMs and thus have problems with the time drifting out. We needed to solve this issue so we used a VMware tool to regularly synchronize the time. My problem now is that my audit logs are overwhelmed with time change entries like this: Jun 1 15:08:39 ***** audispd: node=****** type=SYSCALL msg=audit(1338559719.053:344291): arch=c000003e syscall=159 success=yes exit=5 a0=7ffff2084050 a1=0 a2=144b a3=485449575f4c4c55 items=0 ppid=1 pid=1348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/bin64/appLoader" key="time_change" How can I exclude this vmware tool from the audit, but still capture a user changing the time? Here are my current audit rules to capture time changes: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time_change -a always,exit -F arch=b32 -S clock_settime -k time_change