Trying to forward only my auditd events by syslog, but I don't know which facility to use. I don't want to send everything to my syslog server as it would create redundancy in logging. I've set the audispd syslog plugin to active and from what I understand that should make auditd use syslog for logging the events. Now all I have to do is set the correct facility for auditd's events to forward to my logging server.
Please let me know if I'm mistaken on how this should be done. *I'm trying this on a box CentOS 7