audit.log space requirements:
Casey Schaufler
casey at schaufler-ca.com
Wed Jun 15 21:38:34 UTC 2005
--- Steve Grubb <sgrubb at redhat.com> wrote:
>
> Thanks for the info. This is helpful
>
> On Wednesday 15 June 2005 17:08, you wrote:
> > On a largish server that's pretty busy the
> > rate is about 20MB/minute on Irix. That't
> > with no audit on network packet delivery, and
> > audit turned on for file opens and attribute
> > modifications.
>
> I wonder how many events that translates into. Just
> so we get a feel for
> average bytes per event.
Use 200 bytes/event as a swag. The Irix rename(2)
syscall stores 3 pathname pairs in some cases,
resulting in records that can exceed 2000 bytes.
As I said before, log pathnames cause records to
swell.
> One difference is that we are purely text mode right
> now. No binary records.
> What we are trying to determine is if this is going
> to cause us problems.
It really shouldn't matter in the long run
as pathnames will overwhelm all other record
contents on most production systems. What may
become an issue is using the kernel to do the
translation of numeric data to text. That can
be done at search/analysys time instead.
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Discover Yahoo!
Have fun online with music videos, cool games, IM and more. Check it out!
http://discover.yahoo.com/online.html
More information about the Linux-audit
mailing list