BIG performance hit with auditd on large systems (>64 CPUs)
Klaus Lichtenwalder
klic at mnet-online.de
Tue May 30 18:17:16 UTC 2017
>>> your rules to put all the ones with '-F auid>=400' below a single
>>> line rule
>>> like this:
>>> -a never,exit -F auid<400
>>>
>>> and remove the '-F auid>=400' from all of the rules below it.
>>>
>> ...
>>
>> I did this, and verified it, but there was absolutely no difference
>> to unsorted rules having -S all also specified
>>
>> Still cpu %system up to 50% and run time of jobs 100% longer.
>> This was on a vm with 72 cpus
>>
Just to give this story some kind of closure: we got a test kernel from
$SUPPORT fixing a specifig bugzilla (which seems to be private) and %cpu
system is in normal (low) ranges again.
So thanks for your advices, they are still heeded!
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name/
PGP Key fingerprint: 3AE6 044D 1161 1ABF AC2D 23B3 4C15 7232 FDCA 0980
More information about the Linux-audit
mailing list