BIG performance hit with auditd on large systems (>64 CPUs)
Steve Grubb
sgrubb at redhat.com
Tue May 23 12:51:29 UTC 2017
Hello,
On Tue, 23 May 2017 11:05:18 +0200
Klaus Lichtenwalder <klic at mnet-online.de> wrote:
> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
> <stephenwb at gmail.com>:
> >Agree with Steve's suggestion re: "-S all". Also might help if you
> >sort
>
> I now know where -S all stems from... Some watches add a -S all by
> themselves... Probably created an audit.rules file by textually
> working from there and duplicating rules
What is the source of your rules listed? Is it coming from auditctl -l
or from /etc/audit/audit.rules? There were a couple releases of
auditctl where I think -S all may have been added but if I remember it
was fixed a few releases later. The rules that come from disk would be
more accurate.
-Steve
> >your rules to put all the ones with '-F auid>=400' below a single
> >line rule
> >like this:
> >-a never,exit -F auid<400
> >
> >and remove the '-F auid>=400' from all of the rules below it.
> >
> ...
>
> I did this, and verified it, but there was absolutely no difference
> to unsorted rules having -S all also specified
>
> Still cpu %system up to 50% and run time of jobs 100% longer.
> This was on a vm with 72 cpus
>
> Klaus
>
>
More information about the Linux-audit
mailing list