so, just to be clear, you cannot run auditd and osquery (with auditing enabled) at the same time and have audit events go to both of them

Yep, sorry should have been clearer. Because I had

audit_debug

as a flag, osquery was logging the auditd type records, but there were no osquery json logs of the same events, and as I said

auditctl -s

said it was osquery who had the handle on the socket