file watch question

Reading the man page for auditctl, looking at file watch rules I see this: -w path Insert a watch for the file system object at path. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the -F path option on a syscall rule. If you place a watch on a directory, its the same as using the -F dir option on a syscall rule. The -w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the -p and -k. If you need to anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields. See the EXAMPLES section for an example of converting one form to another. I assume if the "-w form" is just backwards-compatible, it is preferred to use the syscall method. Question - The line saying, "Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel" - does this mean that BOTH the "-w" and "syscall" rules have no performance impact? Thx, LCB -- LC (Lenny) Bruzenak lenny(a)magitekltd.com