After upgrading SSP from 5.0 to 5.1 or new deployment of 5.1, SSPI console shows "audit: kauditd hold queue overflow" messages repeatedly.

SSP 5.1.0

The auditd service fails to come up.

systemctl status auditd

× auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2025-12-11 18:23:57 UTC; 3 days ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 1398 ExecStart=/sbin/auditd (code=exited, status=6)
        CPU: 8ms

Dec 11 18:23:57 ssp-installer-### systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
Dec 11 18:23:57 ssp-installer-### systemd[1]: auditd.service: Failed with result 'exit-code'.
Dec 11 18:23:57 ssp-installer-### systemd[1]: Failed to start auditd.service - Security Auditing Service.
Dec 11 18:23:57 ssp-installer-### systemd[1]: auditd.service: Scheduled restart job, restart counter is at 5.
Dec 11 18:23:57 ssp-installer-### systemd[1]: auditd.service: Start request repeated too quickly.
Dec 11 18:23:57 ssp-installer-### systemd[1]: auditd.service: Failed with result 'exit-code'.
Dec 11 18:23:57 ssp-installer-### systemd[1]: Failed to start auditd.service - Security Auditing Service.

It tries to find /var/log/audit directory to log the audit logs during auditd service start,  That is not present after the upgrade. This causes failure of the service and can not log of the audit messages creating message backlog.

Workaround:

SSH to SSPI as sysadmin

1. Create a directory /var/log/audit.
   mkdir /var/log/audit

2. Restart the auditd service.
   systemctl restart auditd

3. Check the status of the auditd service.
     systemctl status auditd

Check the console of the SSPI from vCenter, New messages should not appear.

Note: This issue will be fixed in the next release of the SSP.