Multiple af_unix plugins on audit 2.8.5 cause duplicated output

[tperka-catalogicsoftware]

I've tried creating my own plugin of type af_unix on Ubuntu 20.04 and RHEL 7 system (audit 2.8.5). Everything looked fine, I could connect to socket on given file and then listen to events. After that I've installed Wazuh, which creates its own af_unix plugin in some other location.

It causes events to be duplicated in both sockets, as you can see in this output:

node=tperka-Latitude-5401 type=SYSCALL msg=audit(1729852173.202:4148): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fb55273b600 a2=341 a3=1b6 items=2 ppid=5310 pid=11716 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="zsh" exe="/usr/bin/zsh" subj=unconfined key=<null>
node=tperka-Latitude-5401 type=SYSCALL msg=audit(1729852173.202:4148): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fb55273b600 a2=341 a3=1b6 items=2 ppid=5310 pid=11716 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="zsh" exe="/usr/bin/zsh" subj=unconfined key=<null>
node=tperka-Latitude-5401 type=CWD msg=audit(1729852173.202:4148): cwd="/home/tperka/audit_test"
node=tperka-Latitude-5401 type=CWD msg=audit(1729852173.202:4148): cwd="/home/tperka/audit_test"
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=0 name="/home/tperka/audit_test" inode=7586118 dev=103:02 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=0 name="/home/tperka/audit_test" inode=7586118 dev=103:02 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=1 name="B" inode=7478893 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=1 name="B" inode=7478893 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PROCTITLE msg=audit(1729852173.202:4148): proctitle="zsh"
node=tperka-Latitude-5401 type=PROCTITLE msg=audit(1729852173.202:4148): proctitle="zsh"
node=tperka-Latitude-5401 type=EOE msg=audit(1729852173.202:4148): 
node=tperka-Latitude-5401 type=EOE msg=audit(1729852173.202:4148): 

Of course when I create third plugin (e.g. activate default example af_unix plugin) then there are three copies of each record in every socket. This issue does not occur on Alma Linux 9 system (audit 3.1.2).

How can I deal with such behavior? Is it expected? Is there any workaround?