Split logging on rsyslogd

My goal is to send all logs to one source remote and still log local but then send all the AuditD logs to its own source on port 20002. But for some reason, my auditd logs are still ending up with my syslogs going to port 20000 /etc/rsyslog.conf: cat /etc/rsyslog.conf module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf local7.* ~ auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err *.=debug;\ auth,authpriv.none;\ mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail.none -/var/log/messages *.emerg :omusrmsg:* /etc/rsyslog.d/rsyslog_d_all.conf: *.*;!local7.* action(type="omfwd" target="10.10.1.23" port="20000" protocol="tcp") rsyslog_d_auditd.conf: $ModLoad imfile local7.* action(type="omfwd" target="10.10.1.23" port="20002" protocol="tcp") $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor