file watch question

[LC Bruzenak]

Reading the man page for auditctl, looking at file watch rules I see this:

      -w path
              Insert a watch for the file system object at path. You
cannot insert a watch to the top level directory. This is prohibited by 
the  kernel.
              Wildcards  are not supported either and will generate a
warning. The way that watches work is by tracking the inode internally.
If you place
              a watch on a file, its the same as using the -F path
option on a syscall rule. If you place a watch on a directory, its the 
same  as  using
              the  -F  dir  option  on  a  syscall  rule. The -w form of
writing watches is for backwards compatibility and the syscall based
form is more
              expressive. Unlike most syscall auditing rules, watches do
not impact performance based on the number of rules sent to the kernel.
The  only
              valid  options when using a watch are the -p and -k. If
you need to anything fancy like audit a specific user accessing a file,
then use the
              syscall auditing form with the path or dir fields. See the
EXAMPLES section for an example of converting one form to another.

I assume if the "-w form" is just backwards-compatible, it is preferred
to use the syscall method.
Question -
The line saying, "Unlike most syscall auditing rules, watches do not
impact performance based on the number of rules sent to the kernel" -
does this mean that BOTH the "-w" and "syscall" rules have no
performance impact?

Thx,
LCB

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com