Comment 8 for bug 271252

It looks like the format for audit messages that show up in /var/log/messages when auditd is not running changed between Hardy and Intrepid.

The type=NNNN part of the message was after the "audit(NNNNNNNNNN.NNN:NN):" part in Hardy, but before it in Intrepid and that's likely causing the log parsing code to break.

As a temporary workaround, I think installing the auditd package so that audit logs go to /var/log/audit/audit.log instead of /var/log/messages might work, but I'd suggest increasing max_log_file in /etc/audit/auditd.conf if AA is being used.