It looks like the format for audit messages that show up in /var/log/messages when auditd is not running changed between Hardy and Intrepid.
The type=NNNN part of the message was after the "audit(NNNNNNNNNN.NNN:NN):" part in Hardy, but before it in Intrepid and that's likely causing the log parsing code to break.
As a temporary workaround, I think installing the auditd package so that audit logs go to /var/log/audit/audit.log instead of /var/log/messages might work, but I'd suggest increasing max_log_file in /etc/audit/auditd.conf if AA is being used.
It looks like the format for audit messages that show up in /var/log/messages when auditd is not running changed between Hardy and Intrepid.
The type=NNNN part of the message was after the "audit( NNNNNNNNNN. NNN:NN) :" part in Hardy, but before it in Intrepid and that's likely causing the log parsing code to break.
As a temporary workaround, I think installing the auditd package so that audit logs go to /var/log/ audit/audit. log instead of /var/log/messages might work, but I'd suggest increasing max_log_file in /etc/audit/ auditd. conf if AA is being used.