Thanks for the quick reply Satish.
From: Satish Chandra Kilaru [mailto:iam.kilaru@gmail.com]
Sent: Wednesday, January 28, 2015 8:49 PM
To: Viswanath, Logeswari P (MCOU OSTL)
Cc: linux-audit@redhat.com<mailto:linux-audit@redhat.com>
Subject: Re: Linux audit performance impact
Write your own program to receive audit events directly without using auditd...
That should be faster ....
Auditd will log the events to disk causing more I/o than u need...
On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL)
<logeswari.pv@hp.com<mailto:logeswari.pv@hp.com>> wrote:
Hi Steve,
I am Logeswari working for HP.
We want to know audit performance impact on RHEL and Suse linux to help us evaluate linux
audit as data source for our host based IDS.
When we ran our own performance test with a test audispd plugin, we found if a system can
perform 200000 open/close system calls per second without auditing, system can perform
only 3000 open/close system calls auditing is enabled for open/close system call which is
a HUGE impact on the system performance. It would be great if anyone can help us answering
the following questions.
1) Is this performance impact expected? If yes, what is the reason behind it and can
we fix it?
2) Have anyone done any benchmarking for performance impact? If yes, can you please
share the numbers and also the steps/programs used the run the same.
3) Help us validating the performance test we have done in our test setup using the
steps mentioned along with the results attached.
Attached test program (loader.c) to invoke open and close system calls.
Attached idskerndsp is the audispd plugin program.
We used time command to determine how much time the system took to complete 50000
open/close system calls without (results attached Without-auditing) and with auditing
enabled on the system (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW)
System details:
1 CPU machine
OS Version
RHEL 6.5
Kernel Version
uname –r
2.6.32-431.el6.x86_64
Note: auditd was occupying 35% of CPU and was sleeping for most of the time whereas
kauditd was occupying 20% of the CPU.
Thanks & Regards,
Logeswari.
--
Please Donate to
www.wikipedia.org<http://www.wikipedia.org>