I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.
The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.
But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?