🙂 Thanks for that. So it's a different daemon that handles the audit logging but it reads some config from the syslog.conf file. A little confusing but makes sense based on the tests I have been performing. In terms of the message loggin to console/file though, is the following correct:

• if there is an entry relating to message loggin to messages log/console it will override the default of *.info

> if there is an entry relating to message loggin to messages log/console it will override the default of *.info

Well, it is a bit dirrerent.
If you create custom syslog.conf file, syslogd works like that on other UNIX/Linux OS.
No line of /dev/console destination in syslog.conf, log output of console is completely disabled. Or, if /dev/console output is defined with other facility, syslog follows as it is.

I had to revisit this recently. It seems ( to me) that the following lines achieve the same namely sending the auditlog messages to a remote syslog server:

• local7.* @ipaddress
• cmdsaudit.auditlog @ipaddress

The only difference I can think of is this statement from here: https://kb.netapp.com/support/index?page=content&actp=LIST&id=1010374

"Note:
Audit log messages are more verbose than syslog messages. A typical syslog entry is a single line. A typical audit log entry is as follows:
date [method of access] :START:command incoming hostname
date [method of access] :IN:command "input" command being sent to filer
date [method of access] :OUT: output from command (may be multiple lines)
date [method of access] :END:command"

Is that the only difference between these configs?