Last attempt, today isn't fairing well for me. I promise no more duplicate
messages.
Appologies for the double-send, but the first one is clearly incomplete,
somehow I managed to hit send.
To begin the space-requirements discussion:
A log file of 2133 lines, having been generated from running the system
call tests suite, is a size of 302539 bytes (300k if you will).
While this isn't truely indicitive of the size, and I'm sure Ken's
production environment will yeild more insightful results, this still gives
us a pretty good idea of size vs space requirements.
This ratio yields a value of approximately 141 bytes per line. The standard
SYSCALL log entry (which generates the SYSCALL, CWD & PATH records), is 483
bytes per syscall. So after about 2000 syscalls, your log is already a meg.
Of course, that doesn't include audit start/stop and rule additions, but I
think it would be safe to assume those aren't going to happen with any sort
of frequency that it will cause a significant impact.
Mike