Is anyone moving linux auditd data, and have you done any work with interpreting it? Possibly combining regex with linux audit tools? Or possibly just using fluentd to pipe all the audit logs to a directory on the server for compliance?
type=USER_AUTH msg=audit(1408929267.794:74242): user pid=19126 uid=1853945932 auid=1853945932 ses=391 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="user" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=SYSCALL msg=audit(1408929267.798:74243): arch=c000003e syscall=59 success=yes exit=0 a0=7f1486c9bd18 a1=7fff580bcb40 a2=7f1486e9e350 a3=a items=2 ppid=19126 pid=19133 auid=1853945932 uid=0 gid=504 euid=0 suid=0 fsuid=0 egid=504 sgid=504 fsgid=504 tty=pts0 ses=391 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="privileged"
type=EXECVE msg=audit(1408929267.798:74243): argc=3 a0="/sbin/unix_chkpwd" a1="user" a2="chkexpiry"
type=CWD msg=audit(1408929267.798:74243): cwd="/home/user"
type=PATH msg=audit(1408929267.798:74243): item=0 name="/sbin/unix_chkpwd" inode=4333 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1408929267.798:74243): item=1 name=(null) inode=130610 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=USER_ACCT msg=audit(1408929267.802:74244): user pid=19126 uid=1853945932 auid=1853945932 ses=391 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="user" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=USER_CMD msg=audit(1408929267.802:74245): user pid=19126 uid=1853945932 auid=1853945932 ses=391 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user" cmd="-bash" terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1408929267.803:74246): user pid=19126 uid=0 auid=1853945932 ses=391 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
type=USER_START msg=audit(1408929267.816:74247): user pid=19126 uid=0 auid=1853945932 ses=391 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'