Make the dispatcher run faster?

Make the dispatcher run faster?

[Aaron Lewis]

Hi,

I've replaced the dispatcher with a self-written one, it only prints
what it sees.

Now I run auditd -f to make it stay foreground, and feed it with a
massive amount of data,

But the dispatcher prints one line for each second. Is there any speed
limitation?

If so, how do I change that

Thanks!
-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: Make the dispatcher run faster?

[Steve Grubb]

On Thu, 26 Dec 2013 11:58:32 +0800
Aaron Lewis <the.warl0ck.1989@gmail.com> wrote:
> I've replaced the dispatcher with a self-written one, it only prints
> what it sees.
> 
> Now I run auditd -f to make it stay foreground, and feed it with a
> massive amount of data,
> 
> But the dispatcher prints one line for each second. Is there any speed
> limitation?
> 
> If so, how do I change that

The audit daemon only keeps one event "in flight" until its consumed by
all sources. This is partly a limitation imposed by CC requirements
that loss of audit capability have a known limit on potentially lost
events. Generally it gets rid of events quickly.

One question to ask would be if auditd is writing to disk? If so, maybe
changing the writeback scheme would help. Besides that, you can change
the priority of auditd and/or the dispatcher.

-Steve