auditctl doesn't log anything

I am trying to find app/activity on a server for failed connection to external mysql host. For that I decided to use auditctl. I'm running the following command: [nir]$ sudo auditctl -A exit,always -F arch=b64 -S connect [nir]$ sudo auditctl -l | grep -i 'arch' -a always,exit -F arch=b64 -S connect [nir]$ sudo ls -l -h /var/log/audit/audit.log -rw------- 1 root root 6.2M May 1 2020 /var/log/audit/audit.log [nir]$ sudo auditctl -m 'hey, are you working at all?' [nir]$ sudo ls -l -h /var/log/audit/audit.log -rw------- 1 root root 6.2M May 1 2020 /var/log/audit/audit.log [nir]$ service auditd status Redirecting to /bin/systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-12-15 20:24:05 UTC; 1 years 2 months ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Main PID: 1898 (auditd) Tasks: 2 Memory: 140.0K CGroup: /system.slice/auditd.service └─1898 /sbin/auditd Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. But the log file /var/log/audit/audit.log does not get updated at all. I'm using aws ec2 server. Any suggestions?