On Mon, Dec 7, 2020 at 8:34 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2020-12-07 18:28, Steve Grubb wrote:
...
> Other metrics would be good. I'd like to see a max_backlog
to know if we are
> wasting memory. It would just record the highwater mark since auditing was
> enabled.
That would be covered with this issue:
https://github.com/linux-audit/audit-kernel/issues/63
For those who haven't clicked on the GH issue above, increasing the
queue depth doesn't result in wasted memory; memory is allocated as
needed and released when it is no longer used. Simply increasing the
backlog size doesn't increase the amount of memory used in the kernel
by audit until the backlog queues start to fill. Once the backlog is
cleared by auditd then the memory is released.
--
paul moore
www.paul-moore.com