From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: ausearch checkpoint question
Date: Thu, 29 Sep 2016 12:30:04 -0700
Message-ID: <57ED6BBC.7030503@magitekltd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com
	[10.5.110.38])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u8TJU47w014515
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Thu, 29 Sep 2016 15:30:04 -0400
Received: from mail-pa0-f52.google.com (mail-pa0-f52.google.com
	[209.85.220.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 2F1B96AF3
	for <linux-audit@redhat.com>; Thu, 29 Sep 2016 19:30:03 +0000 (UTC)
Received: by mail-pa0-f52.google.com with SMTP id qn7so30546531pac.3
	for <linux-audit@redhat.com>; Thu, 29 Sep 2016 12:30:03 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

I'm using the 2.4.5-3 audit rpm set and I tried using the ausearch 
"checkpoint" option a couple weeks ago.
This was on a moderately busy system (judging by my own 
systems/experience) generating say 300-400MB of data/day.

I tried the checkpoint option in a 5-minute cron job, and I noticed that 
in comparison to the "-ts recent" option, it took far longer to complete.
The "recent" option result was less than a second, whereas the 
checkpoint version took ~20 seconds every 5 minutes.

It's possible there were other factors at play; e.g. it was used on a 
mls-policy machine, and although I saw no AVCs, it's possible there were 
some access issues I didn't have time to investigate.
On my intended application, I'll be on a standard targeted-policy 
machine so this won't be a potential factor.

I need to test this again, as I'm considering using the ausearch 
checkpoint capability for some new requirements, I was wondering if 
perhaps there were any timing results done or if there are any tips and 
tricks to getting the most out of it. Also - the man page section 
describing this is a little confusing to me so if anyone has a script 
segment that would be very helpful.

Thanks in advance,
LCB

-- 
LC Bruzenak
magitekltd.com