From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2)
Gecko/20040301

Description of problem:
Problem manifested itself when testing audit code.  Transitioning from
default /var/log/message logging to auditd logging worked properly. 
When the auditd daemon was termintaed, or suspended, /var/log/message
should have been used to continue logging the audit records.  The
transition from auditd logging to /var/log/message logging never
occurred due to a typo in the af_netlink.c - netlink_unicast()
function returning the value of the socket buffer, not the proper
error code.  The audit code never received the proper error indication
so audit logging ceased untill the auditd daemon was restarted, or the
system was rebooted.

Version-Release number of selected component (if applicable):
kernel-2.6.6.1.359

How reproducible:
Always

Steps to Reproduce:
1.enable logging via auditctl
2.add an audit rule via audtictl
3.audit records go to /var/log/message
4.start auditd, records now go to auditd daemon
5.stop auditd
6.no additional audit records are recorded in /var/log/message
    

Actual Results:  as described

Expected Results:  audit records should go to /var/og/messages if no
auditd daemon is active.

Additional info: