I have been using Linux Audit Module for a while now especially in the context of container(docker) environment. I use SELinux MCS labels with docker --selinux-enabled to separate different container logs in auditd log stream. But this solution is very limited to SELinux enabled OS and cannot be ported to other systems like Ubuntu which uses AppArmour. So I am looking for some other way to separate each container logs in auditd log stream. If somebody can give me pointers or patches that makes auditd container aware it will be really helpful for me.

Thanks,

Wajih