# monitor auditd log and send out over local6 to central loghost $ModLoad imfile.so # auditd audit.log $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor :msg, !contains, "type=AVC" local6.* @@log01:514