From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: Auditd hangs hard Date: Tue, 12 Jun 2007 17:54:30 +0100 Message-ID: <1181667270.26075.12.camel@localhost.localdomain> References: <1181313174.19818.8.camel@localhost.localdomain> <200706090759.06963.sgrubb@redhat.com> <1181638227.26075.5.camel@localhost.localdomain> <200706121245.45399.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0024662977==" Return-path: In-Reply-To: <200706121245.45399.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0024662977== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Ajqd34zqHx+kV0EJ8hHT" --=-Ajqd34zqHx+kV0EJ8hHT Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2007-06-12 at 12:45 -0400, Steve Grubb wrote: > It depends on how you have the configuration set. If you set disp_qos to=20 > lossy, then it should have discarded packets sent to the dispatcher. The = only=20 > thing that it would be waiting on at that point is disk writing which has= =20 > several tunables, too. If the dispatcher was the limiting factor, you may= =20 > have to make it multi-threaded with one thread assigned to drain the audi= td=20 > interface and write it to a fifo where another thread writes to syslog. T= his=20 > would allow the audit system to make better use of its time slice. dispatcher qos set to lossy. All writing to disk disabled. Limiting factor appeared to have been auditd not being scheduled often enough, so the performance factor appears to be the behaviour of the kernel when it's buffers are full. > > If it's configured to drop messages rather than kill the system,=20 > > it could probably disable auditing entirely when the kernel buffer is > > full, and only re-enable it when there's enough space. >=20 > How big was the kernel buffer when you had problems? (Its adjustable.) 32k Matt --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-Ajqd34zqHx+kV0EJ8hHT Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBGbs/GNEHqGdM8NJARArKnAJ47HD7veERLFo6jC8y4FrEfLgiMnACfRY7F ZM9FmQIaIRg8tZ8IGA+XVEo= =FfT6 -----END PGP SIGNATURE----- --=-Ajqd34zqHx+kV0EJ8hHT-- --===============0024662977== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0024662977==--