fix(agent): reduce auditd log noise with threshold and execve filter

- Add 50 event threshold for EventsLost logging (ignore 1-2 event losses)
- Filter execve rules to real users only (auid>=1000, auid!=-1)
- Simplify EventsLost function

Author: yllada

agent/collector/auditd/stream.go

@@ -10,6 +10,11 @@ import (
 	"github.com/utmstack/UTMStack/agent/utils"
 )
 
+const (
+	// eventsLostThreshold - only log when this many events are lost at once.
+	eventsLostThreshold = 50
+)
+
 // eventStream implements libaudit.Stream interface for reassembled events
 type eventStream struct {
 	queue    chan *plugins.Log
@@ -45,7 +50,6 @@ func (s *eventStream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
 	}
 
 	// Non-blocking send: drop events if queue is full to prevent backpressure
-	// This is the "user-space" backpressure mitigation strategy from Elastic Auditbeat
 	select {
 	case s.queue <- log:
 		// Event sent successfully
@@ -55,12 +59,10 @@ func (s *eventStream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
 	}
 }
 
-// EventsLost is called when events were lost due to buffer overflow or rate limiting
+// EventsLost is called when events were lost due to buffer overflow
 func (s *eventStream) EventsLost(count int) {
-	// Ignore invalid counts - large values indicate sequence number rollover/overflow
-	// not actual lost events. A reasonable max is 100K events lost in one batch.
-	if count <= 0 || count > 100000 {
+	if count < eventsLostThreshold {
 		return
 	}
-	utils.Logger.ErrorF("auditd: %d events lost due to buffer overflow or rate limiting", count)
+	utils.Logger.ErrorF("auditd: %d events lost due to buffer overflow", count)
 }

agent/dependency/auditd_linux.go

@@ -28,8 +28,9 @@ const auditRulesContent = `## UTMStack SIEM Audit Rules
 ## Additive rules - does not delete existing configuration
 
 # Monitor executed commands (critical for SIEM)
--a always,exit -F arch=b64 -S execve -k utmstack_exec
--a always,exit -F arch=b32 -S execve -k utmstack_exec
+# Filter: auid>=1000 (real users only), auid!=-1 (valid audit UID, excludes system processes)
+-a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=-1 -k utmstack_exec
+-a always,exit -F arch=b32 -S execve -F auid>=1000 -F auid!=-1 -k utmstack_exec
 
 # Privilege escalation
 -a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid,setresuid,setresgid -F auid>=1000 -k utmstack_priv