Re: Auditd hangs hard

[Matthew Booth <mbooth@redhat.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1324 bytes --]

On Tue, 2007-06-12 at 12:45 -0400, Steve Grubb wrote:
> It depends on how you have the configuration set. If you set disp_qos to 
> lossy, then it should have discarded packets sent to the dispatcher. The only 
> thing that it would be waiting on at that point is disk writing which has 
> several tunables, too. If the dispatcher was the limiting factor, you may 
> have to make it multi-threaded with one thread assigned to drain the auditd 
> interface and write it to a fifo where another thread writes to syslog. This 
> would allow the audit system to make better use of its time slice.

dispatcher qos set to lossy. All writing to disk disabled. Limiting
factor appeared to have been auditd not being scheduled often enough, so
the performance factor appears to be the behaviour of the kernel when
it's buffers are full.

> > If it's configured to drop messages rather than kill the system, 
> > it could probably disable auditing entirely when the kernel buffer is
> > full, and only re-enable it when there's enough space.
> 
> How big was the kernel buffer when you had problems? (Its adjustable.)

32k

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]