Customer added following filter for SSH login event in audit.cfg:
but the log still apears, not filtered.
The login terminal obtained from PAM is IP address instead of resolved hostname.
It happens when useDNS=no in /etc/ssh/sshd_config.
Set yes to useDNS or specify ip address in audit.cfg.