Write your own program to receive audit events directly without using auditd... That should be faster .... Auditd will log the events to disk causing more I/o than u need...
On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) < logeswari...@hp.com> wrote: > Hi Steve, > > > > I am Logeswari working for HP. > > > > We want to know audit performance impact on RHEL and Suse linux to help us > evaluate linux audit as data source for our host based IDS. > > When we ran our own performance test with a test audispd plugin, we found > if a system can perform 200000 open/close system calls per second without > auditing, system can perform only 3000 open/close system calls auditing is > enabled for open/close system call which is a HUGE impact on the system > performance. It would be great if anyone can help us answering the > following questions. > > > > 1) Is this performance impact expected? If yes, what is the reason > behind it and can we fix it? > > 2) Have anyone done any benchmarking for performance impact? If yes, > can you please share the numbers and also the steps/programs used the run > the same. > > 3) Help us validating the performance test we have done in our test > setup using the steps mentioned along with the results attached. > > > > Attached test program (loader.c) to invoke open and close system calls. > > Attached idskerndsp is the audispd plugin program. > > We used time command to determine how much time the system took to > complete 50000 open/close system calls without (results attached > Without-auditing) and with auditing enabled on the system > (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW) > > > > System details: > > > > 1 CPU machine > > > > *OS Version* > > RHEL 6.5 > > > > *Kernel Version* > > uname –r > > 2.6.32-431.el6.x86_64 > > > > Note: auditd was occupying 35% of CPU and was sleeping for most of the > time whereas kauditd was occupying 20% of the CPU. > > > > Thanks & Regards, > > Logeswari. > > > > > -- Please Donate to www.wikipedia.org
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit