This is just my opinion though, the auditd should blindly accept and
and consume messages from kernel. It should not care what it has got.
What to be logged should be determined by policy settings.
Actually I'm working on some log filter plug-in for auditd that will be
loaded when auditd starts. It works just like ulogd's interpreter.
The filter does parse the aduit log messages and does what it should
do if necessary, i.e. writes into /var/log/message for AVC warnings,
sends alert message to admin when it detects some attacks, etc.
Current auditd implementation does not have interfaces to pass audit log
messages to other filter. It seems it is becoming a bit complicated, a big
monolithic binary, I'd like to request to modify auditd to add APIs that
loading filter plug-in's and pass audit log messages to them.
I can contribute some of my work if it is interesting to the author.
-- Junji Kanemaru
Linon Inc.
Tokyo Japan