From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: auditd performance
Date: Sun, 27 Dec 2015 10:30:56 -0500 [thread overview]
Message-ID: <2172019.qmNGYP4Gf3@x2> (raw)
Hello,
I've been looking into auditd's performance. The first thing I did was to
measure the rate at which it could log things with various settings. To do
this test, I had 2 windows open. One to start auditd from the command line
without systemd interference and one to run a script as follows:
auditctl -D
auditctl -b 16440
auditctl -f 0
auditctl --backlog_wait_time 100
auditctl -a always,exit -F arch=x86_64 -S all
sleep 3
service auditd stop
auditctl -D
The results of various settings are as follows:
FLUSH FREQ Events/sec
------------------------------------------------------
SYNC 45
DATA 105
INCREMENTAL 20 400
50 1000
100 1815
200 3080
400 5800
1000 10100
2000 15275
4000 18650
8000 24075
NONE 38300
In looking further, I found that there was a lot of lock contention and
scheduling issues because of pthreads. I mapped out the paths in the code to
get a picture of where events come from and where they go:
http://people.readhat.com/sgrubb/audit/auditd-data-flow.pdf
The blue boxes are where events come from, the red boxes are where we have
contention. The gray is the path on the logging thread. The white boxes are
the main thread.
What I found is that if I make enqueue_event call write_to_log directly, it
doubles the throughput of the audit daemon. IOW, going from multi-threaded to
singly threaded makes a huge difference. The audit daemon was multi-threaded
from the very first public release back in 2004 before I started working on it.
So, what I think I am going to do is fix it to be singly threaded, fix the
signal handlers to set a variable on error so that the main thread picks it up
to serialize it with other events, move size check and rotate code, and remove
the pthreads code.
That leaves an issue with dispatching events to other programs. What I have
been thinking about is perhaps using libevfibers to manage switching between
logging and dispatching.
One other tidbit that I found out during testing, if I generate so many events
that it overflows the kernel queue, the default settings for backlog_wait_time
makes the system unusable. It acts like its live-locked. So, I would recommend
that the default setting in the kernel be changed to something more livable
and anyone concerned about this to explicitly set the value to something low.
-Steve
reply other threads:[~2015-12-27 15:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2172019.qmNGYP4Gf3@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox