We are considering moving from rsyslog to auditd, but I have not found how an application should output a log message to auditd. (With rsyslog it is well documented).
Your understanding of auditd as a replacement for logging is incorrect. Auditd is not a direct replacement for syslog/rsyslog type logging. Rather it produces logs based on system calls to the kernel.
Then man page explains it:
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the
ausearchoraureportutilities. Configuring the audit system or loading rules is done with the auditctl utility. During startup, the rules in/etc/audit/audit.rulesare read byauditctland loaded into the kernel. Alternately, there is also anaugenrulesprogram that reads rules located in/etc/audit/rules.d/and compiles them into anaudit.rulesfile. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in theauditd.conffile.
There's also a good overview of auditd, titled: A Brief Introduction to auditd:
.... Since it operates at the kernel level this gives us a hook into any system operation we want. We have the option to write a log any time a particular system call happens, whether that be unlink or getpid. We can monitor access to any file, all network traffic, really anything we want. The level of detail is pretty phenomenal and, since it operates at such a low level, the granularity of information is incredibly useful.
I would also direct you to this tutorial titled: How To Use the Linux Auditing System on CentOS 7. There's an example of the types of logging you'll get from auditd.
type=SYSCALL msg=audit(1434371271.277:135496): arch=c000003e syscall=2 success=yes exit=3 a0=7fff0054e929 a1=0 a2=1fffffffffff0000 a3=7fff0054c390 items=1 ppid=6265 pid=6266 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=113 comm="cat" exe="/usr/bin/cat" key="sshconfigchange"
type=CWD msg=audit(1434371271.277:135496): cwd="/home/sammy"
type=PATH msg=audit(1434371271.277:135496): item=0 name="/etc/ssh/sshd_config" inode=392210 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
This is all from a single event, but 3 messages were logged via auditd. You can tell which events are associated via the msg=audit(...) fields.
I show you this example, because this type of logging is being driven from the kernel, not the applications themselves.
NOTE: Auditd's true purpose is to produce a audit log of interactions with the Linux kernel, whereas syslog/rsyslog are really meant for general purpose logging from the applications themselves.