From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bond Masuda <bond.masuda@jlbond.com>
Subject: how costly is flush = sync vs incremental?
Date: Mon, 19 Oct 2015 11:57:47 -0700
Message-ID: <56253D2B.2050904@jlbond.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.31])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t9JIvo0e032089
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 19 Oct 2015 14:57:50 -0400
Received: from mail.jlbond.com (mail2.jlbond.com [68.15.28.130])
	by mx1.redhat.com (Postfix) with ESMTP id B9E90C0B7872
	for <linux-audit@redhat.com>; Mon, 19 Oct 2015 18:57:49 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.jlbond.com (Postfix) with ESMTP id 3506179BEB
	for <linux-audit@redhat.com>; Mon, 19 Oct 2015 11:57:48 -0700 (PDT)
Received: from mail.jlbond.com ([127.0.0.1])
	by localhost (mail.jlbond.com [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id AY+QVnXaDoc1 for <linux-audit@redhat.com>;
	Mon, 19 Oct 2015 11:57:47 -0700 (PDT)
Received: from taipei.bbky.org (firewall.bbky.org [192.168.0.1])
	by mail.jlbond.com (Postfix) with ESMTP id C8E1479BEA
	for <linux-audit@redhat.com>; Mon, 19 Oct 2015 11:57:47 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

i'm trying to figure out how costly it is to set flush=sync vs
incremental in auditd.conf. In theory, it would seem like it is more
expensive, but by how much? At what level of paranoia about not losing
audit logs does it make sense to use flush=sync or is it not much more
costly and one might as well use that setting?

Thoughts?