Comment 1 for bug 1620849

The bulk of the logs appears to be along the lines of

---
Sep 5 16:13:49 ubuntu-xenial-osic-cloud1-4101327 audispd: node=ubuntu-xenial-osic-cloud1-4101327 type=EOE msg=audit(1473092029.822:547227):
Sep 5 16:13:50 ubuntu-xenial-osic-cloud1-4101327 audispd: node=ubuntu-xenial-osic-cloud1-4101327 type=SYSCALL msg=audit(1473092030.022:547228): arch=c000003e syscall=94 success=yes exit=0 a0=7ffc49f44d80 a1=6e a2=4 a3=0 items=1 ppid=26131 pid=26132 auid=3000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="rsync" exe="/usr/bin/rsync" key="perm_modV-38558"
Sep 5 16:13:50 ubuntu-xenial-osic-cloud1-4101327 audispd: node=ubuntu-xenial-osic-cloud1-4101327 type=CWD msg=audit(1473092030.022:547228): cwd="/home/jenkins/workspace/gate-openstack-ansible-openstack-ansible-aio-ubuntu-xenial-nv/logs/host"
----

I'm almost certain this is coming from ansible-security in [1]. mentioned in [2] at

---
With modifying the active line so that it contains yes, the audispd daemon will start logging events. The logging method depends on further setting in the same file.
---

So this seems to be behaving according to its specification, but I wonder how much verbosity is helpful, especially in CI. At the very least it compresses well (~15mb) which could be done in [1]

[1] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auditd.yml#L288
[2] https://access.redhat.com/solutions/2380591
[3] http://docs.openstack.org/developer/openstack-ansible-security/controls-cat1.html
[4] http://git.openstack.org/cgit/openstack/openstack-ansible/tree/scripts/scripts-library.sh#n134