Re: BIG performance hit with auditd on large systems (>64 CPUs)
Hi everybody
Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan <stephenwb(a)gmail.com>:
Agree with Steve's suggestion re: "-S all". Also might
help if you sort
I now know where -S all stems from... Some watches add a -S all by themselves... Probably
created an audit.rules file by textually working from there and duplicating rules
your rules to put all the ones with '-F auid>=400' below a
single line
rule
like this:
-a never,exit -F auid<400
and remove the '-F auid>=400' from all of the rules below it.
...
I did this, and verified it, but there was absolutely no difference to unsorted rules
having -S all also specified
Still cpu %system up to 50% and run time of jobs 100% longer.
This was on a vm with 72 cpus
Klaus
--
Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten