BIG performance hit with auditd on large systems (>64 CPUs)
Klaus Lichtenwalder
klic at mnet-online.de
Tue May 23 09:05:18 UTC 2017
Hi everybody
Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan <stephenwb at gmail.com>:
>Agree with Steve's suggestion re: "-S all". Also might help if you sort
I now know where -S all stems from... Some watches add a -S all by themselves... Probably created an audit.rules file by textually working from there and duplicating rules
>your rules to put all the ones with '-F auid>=400' below a single line
>rule
>like this:
>-a never,exit -F auid<400
>
>and remove the '-F auid>=400' from all of the rules below it.
>
...
I did this, and verified it, but there was absolutely no difference to unsorted rules having -S all also specified
Still cpu %system up to 50% and run time of jobs 100% longer.
This was on a vm with 72 cpus
Klaus
--
Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten
More information about the Linux-audit
mailing list