From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: performance questions Date: Thu, 29 Sep 2011 10:33:09 -0500 Message-ID: <1317310389.2959.93.camel@lcb> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p8TFXOdI026655 for ; Thu, 29 Sep 2011 11:33:24 -0400 Received: from webserver.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p8TFXFDU016962 for ; Thu, 29 Sep 2011 11:33:15 -0400 Received: from [24.242.137.194] (helo=[192.168.30.40]) by webserver.magitekltd.com with esmtpsa (SSL3.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1R9Ibq-0006YL-NP for linux-audit@redhat.com; Thu, 29 Sep 2011 10:33:14 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com I was looking at some strace results from a process using the audit_log_user_message call and I think I see how I can eliminate some ioctls and /proc/self lookups by setting the hostname/tty parameters to non-NULL pointers pointing to NULL values. But the exename is another story. It does a lookup each time. We have persistent processes each of which submit 100Ks (on the way to 1Ms) of audit_log_user_message events daily, so it would make a difference. I was thinking about a patch to store off the exename statically if one isn't already in the pipeline. Let me know; I'll submit something if not. The other question is on the auditd side. IIUC on each event the write_to_log function is checking the logfile size. Seems to me that we could limit the fstat checks to say one every ten events or so. Any problems there? Thx, LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com