audit.log space requirements:
Casey Schaufler
casey at schaufler-ca.com
Wed Jun 15 21:08:47 UTC 2005
--- Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday 15 June 2005 11:12, Casey Schaufler
> wrote:
> > Lots of fun to be had here!
>
> Casey, do you have any idea about how much space
> people typically dedicate to auditing?
People usually allocate nothing for audit and
then get upset when the root partition fills up.
If they decide to continue auditing after they
recover they will dedicate about 2 day's worth,
which will be determined by their local
requirements.
> How long do they keep records?
They are either discarded daily or retained
forever on external media. There does not
seem to be much middle ground.
> How many events per day is typical?
On a largish server that's pretty busy the
rate is about 20MB/minute on Irix. That't
with no audit on network packet delivery, and
audit turned on for file opens and attribute
modifications. It's possible to turn it down
to about 4MB/day if you don't care about
anything other than logins and attempts to
do what requires privilege that fail. Irix
is more aggressive about putting file and
process attributes in records than y'all are,
so I expect your records are a wee bit smaller.
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Discover Yahoo!
Use Yahoo! to plan a weekend, have fun online and more. Check it out!
http://discover.yahoo.com/
More information about the Linux-audit
mailing list