I have a situation where there are two audit clients on the same machine: one of them is auditd, and another one is an IDS client that uses the audit subsystem directly. By looking at the source (http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect that there might be no provision in the kernel for multiple audit subsystem userland daemons running in parallel (only one pid, only one netlink socket in the kernel). I could not find any documentation confirming or denying that.

Has anyone tried that before? What would actually happen if two different audit clients tried to use the same interface to the audit subsystem in the kernel?