I’m a bit late to this part of the discussion but, osquery and go-audit both interface with the linux kernel audit socket the same way. However, the linux kernel only supports sending audit events to a single PID, so you can’t run them both w/ kernel auditing enabled at the same time, they’ll fight over that socket. Just something to be aware of.