A combined audit event message
Matthew Booth
mbooth at redhat.com
Fri Feb 27 22:27:02 UTC 2009
LC Bruzenak wrote:
> And what you are saying is that rather than use the ausearch equivalent
> (or whatever tool which uses auparse library) on the receiving end, it
> is more expedient to combine the record into one event prior to sending?
> IIUC, is it because of the reduced amount of data flowing or less
> processing needed on the receiving end (or both)?
>
Well, I'm tuning for the particular tool in use by my customer. This
particular tool has problems with this workload. I can't back up a
generalisation with numbers.
However, architecturally the host seems like the right place to do this.
It's much cheaper to do on the host as you don't have to filter out
events from other hosts, and you're also distributing the load somewhat.
Interestingly on the host load point, I quite unexpectedly saw an
improvement in host performance when sending combined messages. Run time
of a pathological test case improved about 5%. The code isn't production
quality yet, and I haven't done any major analysis of that, but my guess
is that the slight increase in work to stitch the messages together is
outweighed by the reduction in the number of network system calls.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
More information about the Linux-audit
mailing list