Re: BIG performance hit with auditd on large systems (>64 CPUs)
>> your rules to put all the ones with '-F auid>=400'
below a single
>> line rule
>> like this:
>> -a never,exit -F auid<400
>>
>> and remove the '-F auid>=400' from all of the rules below it.
>>
> ...
>
> I did this, and verified it, but there was absolutely no difference
> to unsorted rules having​ -S all also specified
>
> Still cpu %system up to 50% and run time of jobs 100% longer.
> This was on a vm with 72 cpus
>
Just to give this story some kind of closure: we got a test kernel from
$SUPPORT fixing a specifig bugzilla (which seems to be private) and %cpu
system is in normal (low) ranges again.
So thanks for your advices, they are still heeded!
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name/
PGP Key fingerprint: 3AE6 044D 1161 1ABF AC2D 23B3 4C15 7232 FDCA 0980