Persistent USB boot key: mounting /var/log to tmpfs gives auditd problems

Trying to make a bootable persistent USB-flash-key and are mounting as many folder as possible to tmpfs e.g.:

tmpfs   /tmp       tmpfs   defaults,noatime,nosuid,size=1024m            0 0
tmpfs   /var/tmp   tmpfs   defaults,noatime,nosuid,size=30m              0 0
tmpfs   /var/log   tmpfs   defaults,noatime,nosuid,mode=0755,size=200m   0 0
tmpfs   /var/run   tmpfs   defaults,noatime,nosuid,mode=0755,size=100m   0 0 

In other distros the worked fine but RHEL’ish seem to require the existence of /var/log/audit/ and/or /var/log/audit/audit.log for the audit daemon to start.

I tried to come around it by modifying /etc/audit/auditd.conf:

#log_file = /var/log/audit/audit.log
 log_file = /var/log/audit.log

But I still get errors in the journal log:

auditd[599]: Unable to create /var/log/audit.log (Permission denied)
Dec 06 07:21:49 COS-SDK-01 auditd[599]: Couldn't create log file /var/log/audit.log (Permission denied)
Dec 06 07:21:49 COS-SDK-01 auditd[599]: The audit daemon is exiting.
Dec 06 07:21:49 COS-SDK-01 auditd[598]: Cannot daemonize (No child processes)

I then changed the mount permission if fstab to 0777 (read, write, execute to all) but it didn’t help.

Any trick to solve this?

It’s just a utility/maintenance USB-stick, so I guess I don’t need the audit-daemon so I tried to disable auto-start of the daemon and everything seem to run fine, not sure what it’s for, but “audit” smell like something I don’t need for a util stick.