I like how you went with a fresh codebase and talking directly to the kernel (netlink). In theory this should yield better performance and simpler conversion.
I’m working on a similar task at Red Hat, but using libauparse and running under auditd and audispd for live streaming, although the tool also supports single-shot log conversion.
I’ll be taking a closer look at go-audit, you can also drop by and take a look at what I’m doing, and perhaps we can share a few things.
Here’s my project: https://github.com/Scribery/aushape