On Tue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall@gmail.com> wrote:

If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, it prevents audisp from logging there even though audisp to syslog is turned on.

I find that hard to believe, since "audit" is not a facility name and that's what rsyslog is expecting and the message I wrote IS what rsyslog prints when you give an invalid facility name, but okay.

All that said, if you really want to send audit records to a central host, I hope you've at least considered using auditd's own native functionality.