^type=EXECVE auditd-execve msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): audit.id auditd-execve argc=\d+ a0="(\.*)" audit.execve.a0 auditd-execve a1="(\.*)" audit.execve.a1 auditd-execve a2="(\.*)" audit.execve.a2 auditd-execve a3="(\.*)" audit.execve.a3 auditd-execve a4="(\.*)" audit.execve.a4 auditd-execve a5="(\.*)" audit.execve.a5 auditd-execve a6="(\.*)" audit.execve.a6 auditd-execve a7="(\.*)" audit.execve.a7