diff -urp audit-2.6.5.orig/src/auditd-config.c audit-2.6.5/src/auditd-config.c

--- audit-2.6.5.orig/src/auditd-config.c	2016-07-14 15:53:39.000000000 +0000

+++ audit-2.6.5/src/auditd-config.c	2017-01-20 15:59:31.719704789 +0000

@@ -841,8 +841,7 @@ static int log_format_parser(struct nv_p

 			if (config->log_format == LF_NOLOG) {

 				audit_msg(LOG_WARNING,

 				    "The NOLOG option to log_format is deprecated. Please use the write_logs option.");

-				if (config->log_format == LF_NOLOG &&

-					config->write_logs != 0)

+				if (config->write_logs != 0)

 					audit_msg(LOG_WARNING,

 					    "The NOLOG option is overriding the write_logs current setting.");

 				config->write_logs = 0;

diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c

--- audit-2.6.5.orig/src/auditd-event.c	2017-01-20 15:54:57.969419865 +0000

+++ audit-2.6.5/src/auditd-event.c	2017-01-20 16:04:17.562133973 +0000

@@ -48,6 +48,8 @@

 extern volatile int stop;

 /* Local function prototypes */

+static void send_ack(const struct auditd_event *e, int ack_type,

+			const char *msg);

 static void write_to_log(const struct auditd_event *e);

 static void check_log_file_size(void);

 static void check_space_left(void);

@@ -496,7 +498,7 @@ void handle_event(struct auditd_event *e

 		if (config->write_logs == 0)

 			return;

 	}

-	if (!logging_suspended) {

+	if (!logging_suspended && config->write_logs) {

 		write_to_log(e);

 		/* See if we need to flush to disk manually */

@@ -537,7 +539,10 @@ void handle_event(struct auditd_event *e

 				}

 			}

 		}

-	}

+	} else if (!config->write_logs)

+		send_ack(e, AUDIT_RMW_TYPE_ACK, "");

+	// FIXME: When logging is suspended, what should remote do?

+	// Should probably be new response type

 }

 static void send_ack(const struct auditd_event *e, int ack_type,