Auditd & Saltstask

I'm working on expanding my logging utilizing auditd. It's all going fine, with one exception. I use Saltstack to control aspects of my servers, and everything salt does is already logged on the salt-master server.

The problem I'm running into is that when I enable logging of interactive/tty commands in auditd, these commands are logged on both the salt-master server, as well as on the salt-minion servers. So I'm getting duplicates of every log stack for each command I run.

Since I'm feeding these logs into Splunk, this is eating up more and more of my license allocation.

I'm trying to find a way to prevent the minions from logging anything that is executed/triggered remotely from the salt-master.

Thoughts?