Re: audit.log space requirements:
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
Thanks for the info. This is helpful
On Wednesday 15 June 2005 17:08, you wrote:
> On a largish server that's pretty busy the
> rate is about 20MB/minute on Irix. That't
> with no audit on network packet delivery, and
> audit turned on for file opens and attribute
> modifications.
I wonder how many events that translates into. Just
so we get a feel for
average bytes per event.
Use 200 bytes/event as a swag. The Irix rename(2)
syscall stores 3 pathname pairs in some cases,
resulting in records that can exceed 2000 bytes.
As I said before, log pathnames cause records to
swell.
One difference is that we are purely text mode right
now. No binary records.
What we are trying to determine is if this is going
to cause us problems.
It really shouldn't matter in the long run
as pathnames will overwhelm all other record
contents on most production systems. What may
become an issue is using the kernel to do the
translation of numeric data to text. That can
be done at search/analysys time instead.
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Discover Yahoo!
Have fun online with music videos, cool games, IM and more. Check it out!
http://discover.yahoo.com/online.html