From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: audit-viewer performance
Date: Sat, 19 Dec 2009 08:34:49 -0500 [thread overview]
Message-ID: <200912190834.49870.sgrubb@redhat.com> (raw)
In-Reply-To: <cecd18b00912181742q401a8e47t101cd321fa43b871@mail.gmail.com>
On Friday 18 December 2009 08:42:51 pm LC Bruzenak wrote:
> What is the plan for this tool? As I said, I think it is very nice
> feature-wise in general but in practice it isn't living up to
> expectations.
> I can try to help but will take a while to get python-proficient. Or
> is the trouble in the parse library?
The audit parsing library has not been optimized for handling large data sets.
I don't think its the entire problem you are seeing, but I'm sure its a
contributor to the problem. I was planning to look at performance issues in a
future release.
The immediate plans are:
1) Get store and forward working for remote logging
2) Get intermingled records fixed in auparse
3) Get sighup corrected for network options
4) Look at performance issues in auparse
The biggest obstacle is #2 above. What makes fixing this in auparse so much fun
is that there is a state machine right in the middle of auparse (due to the
feed input option) that was not in aureport or ausearch, so I couldn't fix it
at the same time.
> I do not have scientific data yet, but recently I loaded one 100MB
> audit file from the store. It took around 3 minute to load. Then I
> changed the source and that one took longer. When it was finally
> loaded it, the process size was over 2GB.
Sure. The audit viewer could be changed to hold only the records that might be
displayed and not all of them. It would then need to track what's displayed
and start a background thread to gather more info for display as you scroll
around.
> I can run some better tests and try to get some data if it is helpful.
> Are there ways I can try to exercise the parse library outside the GUI
> on these same files which might help me know what to look for?
The parse library has some test programs in
https://fedorahosted.org/audit/browser/trunk/auparse/test
that could be adapted for performance testing. But I don't want to change the
code in auparse until after we make it handle interlaced records correctly.
But you could test the native C library against the python version to see if
python itself is adding delay.
-Steve
PS - I keep a TODO file up to date that will always let you know what the
immediate plans are: https://fedorahosted.org/audit/browser/trunk/TODO
next prev parent reply other threads:[~2009-12-19 13:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-19 1:42 audit-viewer performance LC Bruzenak
2009-12-19 13:34 ` Steve Grubb [this message]
2009-12-19 18:20 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200912190834.49870.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox