From: Matthew Booth <mbooth@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: A combined audit event message
Date: Fri, 27 Feb 2009 22:27:02 +0000 [thread overview]
Message-ID: <49A868B6.7060005@redhat.com> (raw)
In-Reply-To: <1235772755.7212.50.camel@homeserver>
LC Bruzenak wrote:
> And what you are saying is that rather than use the ausearch equivalent
> (or whatever tool which uses auparse library) on the receiving end, it
> is more expedient to combine the record into one event prior to sending?
> IIUC, is it because of the reduced amount of data flowing or less
> processing needed on the receiving end (or both)?
>
Well, I'm tuning for the particular tool in use by my customer. This
particular tool has problems with this workload. I can't back up a
generalisation with numbers.
However, architecturally the host seems like the right place to do this.
It's much cheaper to do on the host as you don't have to filter out
events from other hosts, and you're also distributing the load somewhat.
Interestingly on the host load point, I quite unexpectedly saw an
improvement in host performance when sending combined messages. Run time
of a pathological test case improved about 5%. The code isn't production
quality yet, and I haven't done any major analysis of that, but my guess
is that the slight increase in work to stitch the messages together is
outweighed by the reduction in the number of network system calls.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
prev parent reply other threads:[~2009-02-27 22:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-27 21:21 A combined audit event message Matthew Booth
2009-02-27 21:28 ` Steve Grubb
2009-02-27 21:32 ` Matthew Booth
2009-02-27 21:51 ` Matthew Booth
2009-02-27 22:12 ` LC Bruzenak
2009-02-27 22:27 ` Matthew Booth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49A868B6.7060005@redhat.com \
--to=mbooth@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox