The short version: auditctl fails to start at boot which blocks auditd from starting.
I'd like to say the logs were super helpful, but I doubt this helps anyone else more than it helped me.
$ sudo cat /run/uncaught-logs/current
@4000000066cc9bf016f91656 s6-rc: warning: unable to start service auditctl: command exited 1
Both work fine when started from the cli ("No rules" is expected output for auditctl, not a misconfiguration).
$ sudo auditctl -R /etc/audit/audit.rules
No rules
$ sudo auditd -n -f
Config file /etc/audit/auditd.conf opened for parsing
local_events_parser called with: yes
write_logs_parser called with: yes
log_file_parser called with: /var/log/audit/audit.log
...
The services fail regardless of whether it's at boot or manually attempted later. I'm not sure about this one, maybe someone else has run into it?
I generated audit.rules using augenrules and ran the service which worked fine for me. The only real difference I noticed is that this command:
sudo auditctl -R /etc/audit/audit.rules
returns no output for me. My audit.rules file is blank and auditctl -l lists no rules as expected.
I should have provided more information. Sorry, but at this point I don't think it's your bug anyway - Arch Issue (https://gitlab.archlinux.org/archlinux/packaging/packages/audit/-/issues/2)
My system uses augenrules to compile the files in /etc/audit/rules.d into /etc/audit/audit.rules, so I have that file populated at boot when it is triggered. I did have to modify the service file to accommodate that, which worked great until recently.
Tonight I was also playing around and ran aureport, which indicated logging stopped the morning of 8/20. Pacman logs show auditd was updated to 4.0.2 the night before, of course. There was an issue filed with auditd too, however they closed it as distro specific.
Edit: downgrading audit to 4.0.1-3 fixed it, thanks for your help, will mark solved since it's upstream