auditd service fails to start with error “Could not open dir /var/log/audit (No such file or directory)”

Starting auditd service fails:

# systemctl start auditd
Job for auditd.service failed because the control process exited with error code.
See "systemctl status auditd.service" and "journalctl -xe" for details.

The var/log/messages shows:

Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Service RestartSec=100ms expired, scheduling restart.
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Scheduled restart job, restart counter is at 4.
Sep  6 15:57:13 ol8-host systemd[1]: Stopped Security Auditing Service.
Sep  6 15:57:13 ol8-host systemd[1]: Starting Security Auditing Service...
Sep  6 15:57:13 ol8-host auditd[18714]: Could not open dir /var/log/audit (No such file or directory)
Sep  6 15:57:13 ol8-host auditd[18714]: The audit daemon is exiting.
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Control process exited, code=exited status=6
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Failed with result 'exit-code'.
Sep  6 15:57:13 ol8-host systemd[1]: Failed to start Security Auditing Service.
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Service RestartSec=100ms expired, scheduling restart.
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Scheduled restart job, restart counter is at 5.
Sep  6 15:57:13 ol8-host systemd[1]: Stopped Security Auditing Service.
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Start request repeated too quickly.
Sep  6 15:57:13 ol8-host systemd[1]: auditd.service: Failed with result 'exit-code'.
Sep  6 15:57:13 ol8-host systemd[1]: Failed to start Security Auditing Service.

Here, the /var/log/audit is missing.

Resolution:

# mkdir /var/log/audit
# restorecon -Rv /var/log/audit
# chmod 0700 /var/log/audit

# systemctl start auditd
# systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2023-09-06 16:01:15 IST; 7s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 18833 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 18827 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 18828 (auditd)
    Tasks: 4 (limit: 10492)
   Memory: 1.6M
   CGroup: /system.slice/auditd.service
           ├─18828 /sbin/auditd
           └─18830 /usr/sbin/sedispatch

Sep 06 16:01:15 ol8-host augenrules[18844]: enabled 1
Sep 06 16:01:15 ol8-host augenrules[18844]: failure 1
Sep 06 16:01:15 ol8-host augenrules[18844]: pid 18828
Sep 06 16:01:15 ol8-host augenrules[18844]: rate_limit 0
Sep 06 16:01:15 ol8-host augenrules[18844]: backlog_limit 8192
Sep 06 16:01:15 ol8-host augenrules[18844]: lost 0
Sep 06 16:01:15 ol8-host augenrules[18844]: backlog 4
Sep 06 16:01:15 ol8-host augenrules[18844]: backlog_wait_time 60000
Sep 06 16:01:15 ol8-host augenrules[18844]: backlog_wait_time_actual 0
Sep 06 16:01:15 ol8-host systemd[1]: Started Security Auditing Service.