From: Clif Flynt <clif@cflynt.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, Clif Flynt <clif@cflynt.com>
Subject: Re: SQLite Clarification
Date: Mon, 31 Jul 2006 18:05:21 -0400 [thread overview]
Message-ID: <20060731220521.GA1584@clif.cflynt.com> (raw)
In-Reply-To: 20060731200523.GA1183@clif.cflynt.com
Hi,
I just talked the audit/sqlite stuff over with Richard Hipp.
One approach would be to have the audisp application put the data
into a TEMP table, then dump those tables to the main disk tables at
some interval. After the data is copied to the permanent tables, the
TEMP table is cleared.
The TEMP tables resides in memory, and are private to the application
- there can be no contention problems putting the data into those tables.
If writing the temp table to the main table fails because the db is
locked, the temp tables don't get cleared and there is just that much
more to be dumped when the disk is available.
My experience with SQLite is that dumping multiple records is nearly
as fast as dumping one. It's a K+N*x type situation where N is the
number of records, K is a "constant", and x is much smaller than K. I
think the main contributor to K is the disk latency time, while the
main contributor to x is memory access time.
When it comes to someone gathering so much audit data that the
logging routines get swamped, he agrees that dumping to a flat file is
the fastest way to get the data out of memory and onto the disk.
He thinks that my current approach of scanning the flat files and
building a one-time database may be the best way to avoid dragging down
the kernel.
The compromise might be to keep a permanent database, and just update
it with the new records when the reporter is run, or from a cron job,
rather than needing to include all records since the beginning of time
(or when you want to start generating a report from.)
The way write/read contention problems is handled is that the write
will block for up to N (configurable) milliseconds, and then will
either succeed or fail and return a failure message.
Clif
--
.... Clif Flynt ... http://www.cflynt.com ... clif@cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference: Oct 9-13, 2006, Chicago, IL ..
............. http://www.tcl.tk/community/tcl2006/ ............
prev parent reply other threads:[~2006-07-31 22:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-31 17:14 New List Member: Intro & comments Clif Flynt
2006-07-31 17:54 ` Steve Grubb
2006-08-07 9:37 ` Marcus Meissner
2006-07-31 20:05 ` SQLite Clarification Clif Flynt
2006-07-31 21:13 ` Steve Grubb
2006-08-02 20:49 ` auditctl question Lane Williams
2006-08-02 22:03 ` Steve Grubb
2006-08-02 22:15 ` Linda Knippers
2006-08-02 22:29 ` Steve Grubb
2006-08-03 0:22 ` Klaus Weidner
2006-08-03 13:00 ` Williams, P. Lane
2006-08-03 15:18 ` Klaus Weidner
2006-08-03 20:02 ` Williams, P. Lane
2006-08-03 20:29 ` Klaus Weidner
2006-08-03 21:06 ` Steve Grubb
2006-08-04 1:50 ` Williams, P. Lane
2006-08-04 10:28 ` Steve Grubb
2006-08-04 12:48 ` Lane Williams
2006-07-31 22:05 ` Clif Flynt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060731220521.GA1584@clif.cflynt.com \
--to=clif@cflynt.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.