My thoughts exactly. And couldn’t an attacker just fill the logging volume with uninteresting events to prevent certain other events from being recorded?
That would be where something like auditd would come in, configured so that if the audit logs location runs low on space (or out of space), it will halt the system.
(Yes, quite harsh, but for some use cases it may be the right thing to do, i.e. to fail closed).