Hi everyone,

We're using Chronicle (Google SecOps) as our SIEM, with a log forwarder configured to receive syslog data (on UDP port 10519) — including auditd logs (on UDP port 10518).

We now want to reliably forward auditd logs to syslog on RHEL 8 and RHEL 9 systems, so they can be ingested by Chronicle through the forwarder.

What We Found
We’ve reviewed the official documentation:
https://cloud.google.com/chronicle/docs/ingestion/auditd

However:

It focuses on Debian/Ubuntu systems only

Most other tutorials we found are outdated or rely on deprecated components like audispd-plugins

Our Goal
Use the native auditd configuration on RHEL 8/9

Forward audit logs to rsyslog, which then sends them to Chronicle

Avoid deprecated or unnecessary plugins if possible

What We’re Asking
What’s the recommended way on RHEL 8/9 to forward auditd logs to rsyslog?

Should we still use audisp-syslog, or is there a more modern alternative?

Is there any validated or community-tested setup specifically for RHEL systems?

Thanks in advance for your support 
We’re aiming to implement this cleanly and will gladly share back an updated guide once it's working.