What is the syslog facility for auditd logs?
Auditd to syslog plugin facility settings
The Audisp plugin will send auditd data to syslog by default to the
user facility. You can change this however.
cat /etc/audisp/plugins.d/syslog.conf # This file controls the configuration of the syslog plugin. # It simply takes events and writes them to syslog. The # arguments provided can be the default priority that you # want the events written with. And optionally, you can give # a second argument indicating the facility that you want events # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. active = yes direction = out path = builtin_syslog type = builtin args = LOG_INFO format = string
The key there being
Valid options are LOG_LOCAL0 through 7 so you can adjust this to your needs. On my system, they are the above default settings and I get auditd messages in the
user facility logs.