From: Steve Grubb <sgrubb@redhat.com>
To: Matthew Booth <mbooth@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Auditd hangs hard
Date: Tue, 12 Jun 2007 12:45:45 -0400 [thread overview]
Message-ID: <200706121245.45399.sgrubb@redhat.com> (raw)
In-Reply-To: <1181638227.26075.5.camel@localhost.localdomain>
On Tuesday 12 June 2007 04:50:27 Matthew Booth wrote:
> > Does boosting the priority so auditd runs more often help? I think it
> > defalts to 3, you can make it 10 for an experiment.
>
> Thanks, Steve. This put me on the right track. It turns out that not
> only is LSF very noisy, but it also runs itself with niceness -20.
> Renicing it to -5 and running auditd at -10 fixes the problem.
Good.
> It does strike me that audit could cope with overload much better,
> though.
It depends on how you have the configuration set. If you set disp_qos to
lossy, then it should have discarded packets sent to the dispatcher. The only
thing that it would be waiting on at that point is disk writing which has
several tunables, too. If the dispatcher was the limiting factor, you may
have to make it multi-threaded with one thread assigned to drain the auditd
interface and write it to a fifo where another thread writes to syslog. This
would allow the audit system to make better use of its time slice.
> If it's configured to drop messages rather than kill the system,
> it could probably disable auditing entirely when the kernel buffer is
> full, and only re-enable it when there's enough space.
How big was the kernel buffer when you had problems? (Its adjustable.)
-Steve
next prev parent reply other threads:[~2007-06-12 16:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-08 14:32 Auditd hangs hard Matthew Booth
2007-06-09 11:59 ` Steve Grubb
2007-06-12 8:50 ` Matthew Booth
2007-06-12 16:45 ` Steve Grubb [this message]
2007-06-12 16:54 ` Matthew Booth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706121245.45399.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mbooth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox