Linux audit performance impact
Paul Moore
paul at paul-moore.com
Mon Feb 16 17:32:23 UTC 2015
On Mon, Feb 16, 2015 at 6:25 AM, Viswanath, Logeswari P (MCOU OSTL)
<logeswari.pv at hp.com> wrote:
> I configured the system to audit open system call alone instead of all the system calls (our loader program executes) and hence I saw the massive improvement in performance.
> My fix is not causing any change in the performance. I wrongly communicated that the fix is causing performance improvement. Sorry for that.
>
> As per the perf data, the format_decode is the function where most of the time is spent i.e. formatting the record in the buffer before delivering the data to user space.
> We need to eliminate formatting records to increase the performance.
> Any idea why we need to format the record and whether can we add an option (RAW) to deliver the record without formatting to user space?
As Steve mentioned, the audit record format is very rigid and poorly
designed, any changes will likely cause significant problems with
userspace.
That said, I'm in the process of evaluating how we can move to a
different format which should alleviate a lot of the problems you
mention in this thread.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list