i haven't looked too much into osquery's audit stuff to see if we can do anything advanced on system. currently we're using it as basically a relay. get the audit messages sent to centralized logging soonest. but that's because we're snapping it in to replace auditd and then go-audit. if there's more we can do with it, i'm sure it'll come up once we finish the migration

I’m a bit late to this part of the discussion but, osquery and go-audit both interface with the linux kernel audit socket the same way. However, the linux kernel only supports sending audit events to a single PID, so you can’t run them both w/ kernel auditing enabled at the same time, they’ll fight over that socket. Just something to be aware of.