/var is full due to large audit.log files in /var/log/audit on Security Analytics