The following is seen in your syslog/messages log file upon start/restart of auditd:
augenrules: WARNING - 32/64 bit syscall mismatch in line 121, you should specify an arch
According to the
If you get a warning from auditctl saying, "32/64 bit syscall mismatch in line XX, you should specify an arch". This means that you specified a syscall rule on a bi-arch system where the syscall has a different syscall number for the 32 and 64 bit interfaces. This means that on one of those interfaces you are likely auditing the wrong syscall.
Divide the rule into 2, and adding the arch, for example:
-always,exit -S openat -k access`
-always,exit -F arch=b32 -S openat -k access -always,exit -F arch=b64 -S openat -k access
-F arch=b32 and
-F arch=b64. Notice that they need to be the very first argument set right after
always,exit or similar.