9:48 a.m.
Last attempt, today isn't fairing well for me. I promise no more duplicate
messages.
Appologies for the double-send, but the first one is clearly incomplete,
somehow I managed to hit send.
To begin the space-requirements discussion:
A log file of 2133 lines, having been generated from running the system
call tests suite, is a size of 302539 bytes (300k if you will).
While this isn't truely indicitive of the size, and I'm sure Ken's
production environment will yeild more insightful results, this still gives
us a pretty good idea of size vs space requirements.
This ratio yields a value of approximately 141 bytes per line. The standard
SYSCALL log entry (which generates the SYSCALL, CWD & PATH records), is 483
bytes per syscall. So after about 2000 syscalls, your log is already a meg.
Of course, that doesn't include audit start/stop and rule additions, but I
think it would be safe to assume those aren't going to happen with any sort
of frequency that it will cause a significant impact.
Mike
10:12 a.m.
New subject: audit.log space requirements:
--- Michael C Thompson <mcthomps(a)us.ibm.com> wrote:
To begin the space-requirements discussion:
Pathnames tend to be the leading cause of large
audit records on production Unix systems. It
would be instructive to use a kernel make as
an audit test case, if you're looking to
understand the behavior of the audit system
under a file system load.
You can also use:
% find / -type f
to generate a pathname edgecase test.
To really make the developers sweat try:
% find / -type f & find / -type f & find / -type f
I haven't been able to gleen what is being
audited in the networking context. If there
is audit of packet delivery (has been required
on past CAPP and LSPP evaluations) turning
that on and starting X11 will offer insights
as well.
Lots of fun to be had here!
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Discover Yahoo!
Get on-the-go sports scores, stock quotes, news and more. Check it out!
http://discover.yahoo.com/mobile.html
10:17 a.m.
New subject: audit.log space requirements:
On Wednesday 15 June 2005 11:12, Casey Schaufler wrote:
Lots of fun to be had here!
Casey, do you have any idea about how much space people typically dedicate to
auditing? How long do they keep records? How many events per day is typical?
-Steve
4:08 p.m.
New subject: audit.log space requirements:
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday 15 June 2005 11:12, Casey Schaufler
wrote:
> Lots of fun to be had here!
Casey, do you have any idea about how much space
people typically dedicate to auditing?
People usually allocate nothing for audit and
then get upset when the root partition fills up.
If they decide to continue auditing after they
recover they will dedicate about 2 day's worth,
which will be determined by their local
requirements.
How long do they keep records?
They are either discarded daily or retained
forever on external media. There does not
seem to be much middle ground.
How many events per day is typical?
On a largish server that's pretty busy the
rate is about 20MB/minute on Irix. That't
with no audit on network packet delivery, and
audit turned on for file opens and attribute
modifications. It's possible to turn it down
to about 4MB/day if you don't care about
anything other than logins and attempts to
do what requires privilege that fail. Irix
is more aggressive about putting file and
process attributes in records than y'all are,
so I expect your records are a wee bit smaller.
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Discover Yahoo!
Use Yahoo! to plan a weekend, have fun online and more. Check it out!
http://discover.yahoo.com/
4:14 p.m.
New subject: audit.log space requirements:
Thanks for the info. This is helpful
On Wednesday 15 June 2005 17:08, you wrote:
On a largish server that's pretty busy the
rate is about 20MB/minute on Irix. That't
with no audit on network packet delivery, and
audit turned on for file opens and attribute
modifications.
I wonder how many events that translates into. Just so we get a feel for
average bytes per event.
Irix is more aggressive about putting file and
process attributes in records than y'all are,
so I expect your records are a wee bit smaller.
One difference is that we are purely text mode right now. No binary records.
What we are trying to determine is if this is going to cause us problems.
-Steve
4:38 p.m.
New subject: audit.log space requirements:
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
Thanks for the info. This is helpful
On Wednesday 15 June 2005 17:08, you wrote:
> On a largish server that's pretty busy the
> rate is about 20MB/minute on Irix. That't
> with no audit on network packet delivery, and
> audit turned on for file opens and attribute
> modifications.
I wonder how many events that translates into. Just
so we get a feel for
average bytes per event.
Use 200 bytes/event as a swag. The Irix rename(2)
syscall stores 3 pathname pairs in some cases,
resulting in records that can exceed 2000 bytes.
As I said before, log pathnames cause records to
swell.
One difference is that we are purely text mode right
now. No binary records.
What we are trying to determine is if this is going
to cause us problems.
It really shouldn't matter in the long run
as pathnames will overwhelm all other record
contents on most production systems. What may
become an issue is using the kernel to do the
translation of numeric data to text. That can
be done at search/analysys time instead.
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Discover Yahoo!
Have fun online with music videos, cool games, IM and more. Check it out!
http://discover.yahoo.com/online.html
7130
days inactive
7130
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
Casey Schaufler -
Michael C Thompson -
Steve Grubb