Re: BIG performance hit with auditd on large systems (>64 CPUs)
Hello,
On Tue, 23 May 2017 11:05:18 +0200
Klaus Lichtenwalder <klic(a)mnet-online.de> wrote:
Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
<stephenwb(a)gmail.com>:
>Agree with Steve's suggestion re: "-S all". Also might help if you
>sort
I now know where -S all stems from... Some watches add a -S all by
themselves... Probably created an audit.rules file by textually
working from there and duplicating rules
What is the source of your rules listed? Is it coming from auditctl -l
or from /etc/audit/audit.rules? There were a couple releases of
auditctl where I think -S all may have been added but if I remember it
was fixed a few releases later. The rules that come from disk would be
more accurate.
-Steve
>your rules to put all the ones with '-F auid>=400'
below a single
>line rule
>like this:
>-a never,exit -F auid<400
>
>and remove the '-F auid>=400' from all of the rules below it.
>
...
I did this, and verified it, but there was absolutely no difference
to unsorted rules having​ -S all also specified
Still cpu %system up to 50% and run time of jobs 100% longer.
This was on a vm with 72 cpus
Klaus