From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2) Gecko/20040301 Description of problem: Problem manifested itself when testing audit code. Transitioning from default /var/log/message logging to auditd logging worked properly. When the auditd daemon was termintaed, or suspended, /var/log/message should have been used to continue logging the audit records. The transition from auditd logging to /var/log/message logging never occurred due to a typo in the af_netlink.c - netlink_unicast() function returning the value of the socket buffer, not the proper error code. The audit code never received the proper error indication so audit logging ceased untill the auditd daemon was restarted, or the system was rebooted. Version-Release number of selected component (if applicable): kernel-2.6.6.1.359 How reproducible: Always Steps to Reproduce: 1.enable logging via auditctl 2.add an audit rule via audtictl 3.audit records go to /var/log/message 4.start auditd, records now go to auditd daemon 5.stop auditd 6.no additional audit records are recorded in /var/log/message Actual Results: as described Expected Results: audit records should go to /var/og/messages if no auditd daemon is active. Additional info: