auditd.conf

destination d_auditd {
    file("/var/log/auditd.json" template("$(format-json .auditd.*)\n"));
};

parser p_auditd {
    linux-audit-parser (prefix(".auditd."));
};

filter f_auditd {program("audispd")};

#log {
#        source(s_remote_bsd);
#        source(s_remote_ietf);
#        source(s_remote_tcp);
#        source(s_src);
#       filter(f_auditd);
#       parser(p_auditd);
#       destination(d_auditd);
#};

Process Auditd syslog messages into JSON. Tested on syslog-ng 3.8