diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
--- audit-3.0.orig/src/auditd.c	2018-12-06 20:01:06.923443360 -0500
+++ audit-3.0/src/auditd.c	2018-12-06 20:17:19.030339043 -0500
@@ -214,24 +214,35 @@ static void cont_handler(struct ev_loop
 
 static int extract_type(const char *str)
 {
-	const char *tptr, *ptr2, *ptr = str;
+	char tmp, *ptr2, *ptr = str;
+	int type;
 	if (*str == 'n') {
 		ptr = strchr(str+1, ' ');
 		if (ptr == NULL)
 			return -1; // Malformed - bomb out
 		ptr++;
 	}
+
 	// ptr should be at 't'
 	ptr2 = strchr(ptr, ' ');
-	// get type=xxx in a buffer
-	tptr = strndupa(ptr, ptr2 - ptr);
+
 	// find =
-	str = strchr(tptr, '=');
-	if (str == NULL)
+	str = strchr(ptr, '=');
+	if (str == NULL || str >= ptr2)
 		return -1; // Malformed - bomb out
+
 	// name is 1 past
 	str++;
-	return audit_name_to_msg_type(str);
+
+	// Save character & terminate string
+	tmp = *ptr2;
+	*ptr2 = 0;
+
+	type = audit_name_to_msg_type(str);
+
+	*ptr2 = tmp; // Restore character
+
+	return type;
 }
 
 void distribute_event(struct auditd_event *e)
@@ -250,18 +261,22 @@ void distribute_event(struct auditd_even
 			route = 0;
 		else {	// We only need the original type if its being routed
 			e->reply.type = extract_type(e->reply.message);
-			char *p = strchr(e->reply.message,
-					AUDIT_INTERP_SEPARATOR);
-			if (p)
-				proto = AUDISP_PROTOCOL_VER2;
-			else
-				proto = AUDISP_PROTOCOL_VER;
 
+			// Treat everything from the network as VER2
+			// because they are already formatted. This is
+			// important when it gets to the dispatcher which
+			// can strip node= when its VER1.
+			proto = AUDISP_PROTOCOL_VER2;
 		}
-	} else if (e->reply.type != AUDIT_DAEMON_RECONFIG)
-		// All other events need formatting
+	} else if (e->reply.type != AUDIT_DAEMON_RECONFIG) {
+		// All other local events need formatting
 		format_event(e);
-	else
+
+		// If the event has been formatted with node, upgrade
+		// to VER2 so that the dispatcher honors the formatting
+		if (config.node_name_format != N_NONE)
+			proto = AUDISP_PROTOCOL_VER2;
+	} else
 		route = 0; // Don't DAEMON_RECONFIG events until after enqueue
 
 	/* End of Event is for realtime interface - skip local logging of it */
@@ -748,6 +763,17 @@ int main(int argc, char *argv[])
 		return 1;
 	}
 
+	/* Startup libev and dispatcher */
+	loop = ev_default_loop(EVFLAG_NOENV);
+	if (init_dispatcher(&config)) {
+		if (pidfile)
+			unlink(pidfile);
+		tell_parent(FAILURE);
+		free_config(&config);
+		ev_default_destroy();
+		return 1;
+	}
+
 	/* Get machine name ready for use */
 	if (resolve_node(&config)) {
 		if (pidfile)
@@ -755,6 +781,7 @@ int main(int argc, char *argv[])
 		shutdown_dispatcher();
 		tell_parent(FAILURE);
 		free_config(&config);
+		ev_default_destroy();
 		return 1;
 	}
 
@@ -766,6 +793,7 @@ int main(int argc, char *argv[])
 		shutdown_dispatcher();
 		tell_parent(FAILURE);
 		free_config(&config);
+		ev_default_destroy();
 		return 1;
 	}
 	fcntl(pipefds[0], F_SETFD, FD_CLOEXEC);
@@ -785,6 +813,7 @@ int main(int argc, char *argv[])
 			tell_parent(FAILURE);
 			close_pipes();
 			free_config(&config);
+			ev_default_destroy();
 			return 1;
 		}
 		if (getsubj(subj))
@@ -811,6 +840,7 @@ int main(int argc, char *argv[])
 			tell_parent(FAILURE);
 			close_pipes();
 			free_config(&config);
+			ev_default_destroy();
 			return 1;
 		}
 	}
@@ -821,6 +851,7 @@ int main(int argc, char *argv[])
 	/* let config manager init */
 	init_config_manager();
 
+	/* Depending on value of opt_startup (-s) set initial audit state */
 	if (opt_startup != startup_nochange && !opt_aggregate_only &&
 			(audit_is_enabled(fd) < 2) &&
 			audit_set_enabled(fd, (int)opt_startup) < 0) {
@@ -849,6 +880,7 @@ int main(int argc, char *argv[])
 		tell_parent(FAILURE);
 		close_pipes();
 		free_config(&config);
+		ev_default_destroy();
 		return 1;
 	}
 
@@ -877,20 +909,11 @@ int main(int argc, char *argv[])
 		tell_parent(FAILURE);
 		close_pipes();
 		free_config(&config);
+		ev_default_destroy();
 		return 1;
 	}
 
-	/* Depending on value of opt_startup (-s) set initial audit state */
-	loop = ev_default_loop (EVFLAG_NOENV);
-
-	if (init_dispatcher(&config)) {
-		if (pidfile)
-			unlink(pidfile);
-		tell_parent(FAILURE);
-		free_config(&config);
-		return 1;
-	}
-
+	/* Start up all the handlers */
 	if (!opt_aggregate_only) {
 		ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
 		ev_io_start (loop, &netlink_watcher);
diff -urp audit-3.0.orig/src/auditd-dispatch.c audit-3.0/src/auditd-dispatch.c
--- audit-3.0.orig/src/auditd-dispatch.c	2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd-dispatch.c	2018-12-06 20:17:09.769340037 -0500
@@ -70,6 +70,7 @@ int dispatch_event(const struct audit_re
 	if (!libdisp_active())
 		return 0;
 
+	// Translate event into dispatcher format
 	e = malloc(sizeof(event_t));
 	if (e == NULL)
 		return -1;
@@ -78,6 +79,7 @@ int dispatch_event(const struct audit_re
 	e->hdr.hlen = sizeof(struct audit_dispatcher_header);
 	e->hdr.type = rep->type;
 
+	// Network originating events have data at rep->message
 	if (protocol_ver == AUDISP_PROTOCOL_VER) {
 		e->hdr.size = rep->msg.nlh.nlmsg_len;
 		memcpy(e->data, (void*)rep->msg.data, e->hdr.size);
diff -urp audit-3.0.orig/src/auditd-event.c audit-3.0/src/auditd-event.c
--- audit-3.0.orig/src/auditd-event.c	2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd-event.c	2018-12-06 20:17:09.769340037 -0500
@@ -225,8 +225,10 @@ static void replace_event_msg(struct aud
 			e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1);
 			len = MAX_AUDIT_MESSAGE_LENGTH;
 		}
-		e->reply.msg.nlh.nlmsg_len = e->reply.len;
-		e->reply.len = len;
+		// For network originating events, len should be used
+		if (!from_network(e)) // V1 protocol msg size
+			e->reply.msg.nlh.nlmsg_len = e->reply.len;
+		e->reply.len = len; // V2 protocol msg size
 	}
 }
 
@@ -500,7 +502,7 @@ struct auditd_event *create_event(char *
 	e->sequence_id = sequence_id;
 
 	/* Network originating events need things adjusted to mimic netlink. */
-	if (e->ack_func)
+	if (from_network(e))
 		replace_event_msg(e, msg);
 
 	return e;
@@ -570,7 +572,7 @@ void handle_event(struct auditd_event *e
 static void send_ack(const struct auditd_event *e, int ack_type,
 			const char *msg)
 {
-	if (e->ack_func) {
+	if (from_network(e)) {
 		unsigned char header[AUDIT_RMW_HEADER_SIZE];
 
 		AUDIT_RMW_PACK_HEADER(header, 0, ack_type, strlen(msg),
diff -urp audit-3.0.orig/src/auditd-event.h audit-3.0/src/auditd-event.h
--- audit-3.0.orig/src/auditd-event.h	2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd-event.h	2018-12-06 20:17:09.769340037 -0500
@@ -36,6 +36,9 @@ struct auditd_event {
 	unsigned long sequence_id;
 };
 
+static inline int from_network(const struct auditd_event *e) 
+{ if (e && e->ack_func) return 1; return 0; };
+
 #include "auditd-config.h"
 
 int dispatch_network_events(void);