Fw: Audit record emission
Steve Grubb
sgrubb at redhat.com
Fri May 6 16:39:10 UTC 2005
On Friday 06 May 2005 12:06, Kris Wilson wrote:
> How do you set backlog?
-b 1024 in /etc/audit.rules
> Is the default 64?
Yes.
> For the evaluation should our configuration script change it to >1024?
That depends. If you are testing what actions occur when messages are dropped,
you want to set it lower. For normal operation, you will want to set it
higher.
I was thinking that we need some kind of load test to tune the number with.
The combination of priority & backlog will need to be set depending on:
expected load, audit rules, the speed of the CPU, and the slowness of the
disk.
During normal operations, events pile up. When the audit daemon gets its time
slice, it drains the queue quickly. Then events pile up again. Lengthening
the queue lets you run the system through bursts of activity without losing a
record. The fundamental question is how long should I make the queue?
The answer I think is based on how often the audit daemon runs and how many
events can pile up in the interim. The audit daemon must get enough time
slices that the queue is sitting at 0 nearly anytime you check. If the
backlog value starts creeping up, the audit daemon is losing the race and
needs more priority.
I almost think this needs a utility to help tune it. If a system has a fast
CPU, it could generate more events than a slower CPU. If the disk is slow, we
can't dispatch events as fast and that needs to be accounted for.
-Steve
More information about the Linux-audit
mailing list