$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/lib/rsyslog

# Send audit logs to a secure location
:programname, startswith, "auditd" -/var/log/audit/audit.log

# You can also forward logs to a remote syslog server if needed
*.* @remote-syslog-server:514