# monitor auditd log and send out over local6 to central loghost
$ModLoad imfile.so

# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

:msg, !contains, "type=AVC"
local6.*				@@log01:514