LC Bruzenak wrote: > And what you are saying is that rather than use the ausearch equivalent > (or whatever tool which uses auparse library) on the receiving end, it > is more expedient to combine the record into one event prior to sending? > IIUC, is it because of the reduced amount of data flowing or less > processing needed on the receiving end (or both)? >
Well, I'm tuning for the particular tool in use by my customer. This particular tool has problems with this workload. I can't back up a generalisation with numbers. However, architecturally the host seems like the right place to do this. It's much cheaper to do on the host as you don't have to filter out events from other hosts, and you're also distributing the load somewhat. Interestingly on the host load point, I quite unexpectedly saw an improvement in host performance when sending combined messages. Run time of a pathological test case improved about 5%. The code isn't production quality yet, and I haven't done any major analysis of that, but my guess is that the slight increase in work to stitch the messages together is outweighed by the reduction in the number of network system calls. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
