Ok. For completeness, I believe the problem was that since the resultant /etc/audit/audit.rules had an error in it, when auditd attempted to restart, it got an error, and if one of the first directives was to delete all previous rules, then you ended up with no rules in place. IE
[root@stroomfp0 audit]# cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-w /etc/docker/daemon.json -p wa -k docker CIS-1.11
[root@stroomfp0 audit]#
[root@stroomfp0 audit]# service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start auditd.service
[root@stroomfp0 audit]# tail /var/log/messages
Jun 27 21:16:17 stroomfp0 systemd: Starting Security Auditing Service...
Jun 27 21:16:18 stroomfp0 auditd[10342]: Started dispatcher: /sbin/audispd pid: 10346
Jun 27 21:16:18 stroomfp0 audispd: No plugins found, exiting
Jun 27 21:16:18 stroomfp0 kernel: type=1305 audit(1498562178.008:701):
audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Jun 27 21:16:18 stroomfp0 kernel: type=1305 audit(1498562178.010:702): audit_pid=10342 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Jun 27 21:16:18 stroomfp0 augenrules: /sbin/augenrules: No change
Jun 27 21:16:18 stroomfp0 auditctl: parameter passed without an option given
Jun 27 21:16:18 stroomfp0 auditctl: There was an error in line 5 of /etc/audit/audit.rules
Jun 27 21:16:18 stroomfp0 auditd[10342]: Init complete, auditd 2.6.5 listening for events (startup state enable)
Jun 27 21:16:18 stroomfp0 systemd: Started Security Auditing Service.
[root@stroomfp0 audit]#
Once you corrected the error, regenerated the rules files and the resultant auditd restart demonstrated it all worked.
Moral of the story, always check the message log on weird activity
:-)