From mboxrd@z Thu Jan  1 00:00:00 1970
From: Clif Flynt <clif@cflynt.com>
Subject: Re: SQLite Clarification
Date: Mon, 31 Jul 2006 18:05:21 -0400
Message-ID: <20060731220521.GA1584@clif.cflynt.com>
References: <20060731171437.GA447@clif.cflynt.com>
	<20060731200523.GA1183@clif.cflynt.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6VM5sv2006496
	for <linux-audit@redhat.com>; Mon, 31 Jul 2006 18:05:54 -0400
Received: from mail02.ic.net (mail02.ic.net [152.160.7.138])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6VM5rO6013059
	for <linux-audit@redhat.com>; Mon, 31 Jul 2006 18:05:53 -0400
Received: from ic.net (relay084.ic.net [152.160.8.94])
	by mail02.ic.net (Postfix) with SMTP id 05EE897F069
	for <linux-audit@redhat.com>; Mon, 31 Jul 2006 18:05:47 -0400 (EDT)
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, Clif Flynt <clif@cflynt.com>
List-Id: linux-audit@redhat.com

Hi,
  I just talked the audit/sqlite stuff over with Richard Hipp.  
  
  One approach would be to have the audisp application put the data
into a TEMP table, then dump those tables to the main disk tables at
some interval.  After the data is copied to the permanent tables, the
TEMP table is cleared.

  The TEMP tables resides in memory, and are private to the application
- there can be no contention problems putting the data into those tables.

  If writing the temp table to the main table fails because the db is
locked, the temp tables don't get cleared and there is just that much
more to be dumped when the disk is available.

  My experience with SQLite is that dumping multiple records is nearly
as fast as dumping one.  It's a K+N*x type situation where N is the
number of records, K is a "constant", and x is much smaller than K.  I
think the main contributor to K is the disk latency time, while the
main contributor to x is memory access time.

  When it comes to someone gathering so much audit data that the
logging routines get swamped, he agrees that dumping to a flat file is
the fastest way to get the data out of memory and onto the disk.

  He thinks that my current approach of scanning the flat files and
building a one-time database may be the best way to avoid dragging down
the kernel.

  The compromise might be to keep a permanent database, and just update
it with the new records when the reporter is run, or from a cron job,
rather than needing to include all records since the beginning of time
(or when you want to start generating a report from.)

  The way write/read contention problems is handled is that the write
will block for up to N (configurable) milliseconds, and then will
either succeed or fail and return a failure message.

  Clif

-- 
.... Clif Flynt ... http://www.cflynt.com ... clif@cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference:  Oct 9-13, 2006,  Chicago, IL ..
.............  http://www.tcl.tk/community/tcl2006/  ............