We have configured the audit plugin to write to syslog so that log forwarding can send logs from all servers to a central repository. We have noticed a problem with the way the facility & priority are being sent.
It looks like the facility is being shifted 3 to the left twice which is causing the final facility value to be out by a factor of 8.
I've included a config.txt file to show the configuration we are using. and a tcpdmp.txt file to show the tcpdump output for LOG_AUTH and LOG_USER. both are with LOG_INFO (6) as the severity
Basically, we are expecting final priority to be 14 for LOG_USER (8+6) and 38 for LOG_AUTH (32+6). But we are actually getting LOG_USER as 70 (8 * 8 +6) and LOG_AUTH as 262 (32*8+6) and this is only supposed to be an 8 bit integer.