If using a universal forwarder to collect auditd events, all that is required is to specify the sourcetype 'linux:audit' in the file's inputs.conf monitor stanza. However, in your case I would recommend using a heavy forwarder on the syslog server so you can apply index-time transformations before events are forwarded to Splunk Cloud. The reason I suggest this is that the syslog service is putting events of different sourcetypes into the same file and so index-time transformations are required to sourcetype them correctly on a event-by-event basis. This could be done on the indexers in Splunk Cloud, however you would need to contact support.
The 'auditd' eventtype is not provided by the Linux Auditd app (TA_linux-auditd). It is from the Splunk_TA_nix app and is applied to events with the sourcetype 'auditd', indicating that your events may not be being sourcetyped correctly. Furthermore, the sample event provided doesn't appear to actually be an auditd event at all. The 'auditd' sourcetype will not work with the Linux Auditd app, please see: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype
Irrespective of the Linux Auditd app being used or not, the best practice is to collect events as close to the source as possible in order to retain fidelity and provide other benefits, such as load-balancing, etc. In practice, this means installing universal forwarders on endpoints (where possible), rather than using syslog or some other means of collection. In this way, I would encourage you to reconsider the use of syslog for collecting auditd events.
... View more