Hey @drBeam
Hmm… I find those netlink AUDIT entries weird… Apparently Debian (but other distributions, too… never occurred to me on CentOS though) have somehow a systemd-journald-audit.socket and people have already complained about it and filed a pull request to have it disabled, look here:
Can you check whether you have this socket and/or auditd installed? I’d remove the latter, unless you need it, and I’d probably try to disable the former and reboot (just to be sure).
EDIT In case my previous sentence is ambiguous: You should reboot when you remove auditd, too.
Might that be your issue?
Regards,
Thomas