I tested a new audit rule with auditctl and it does what I want. So I put it in /etc/audit/audit.rules owned by root:root and same permissions 644 as other files defaultly in the dir. I can load it successfully with auditctl -R however it does not load on reboot. I also tried permissions 600 on audit.rules but that did not help.
Here is the contents of /etc/audit/audit.rules
$this->bbcode_second_pass_code('', '
-a never,exclude -F msgtype=LOGIN
')
This happens on both an odroid-n2 kernel 4.9.170-1-ARCH and odroid-xu4 kernel 4.14.111-1-ARCH.
Can anyone offer help?