Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement auditd's enrichment features in LAUREL #2

Closed
hillu opened this issue Sep 6, 2021 · 2 comments
Closed

Implement auditd's enrichment features in LAUREL #2

hillu opened this issue Sep 6, 2021 · 2 comments

Comments

@hillu
Copy link
Collaborator

hillu commented Sep 6, 2021

Measurements on busy systems with log_format=RAW vs. ´log_format=ENRICHED` suggest that auditd(8) spends about half its CPU time on interpreting and adding simple numeric values (such as syscall, uid, gid) to the audit log. Perhaps we can do better.

@hillu hillu changed the title Would moving auditd's enrichment features to LAUREL make sense? Implement auditd's enrichment features in LAUREL Dec 10, 2021
@hillu
Copy link
Collaborator Author

hillu commented Dec 10, 2021

I have implemented such enrichment and found the combination of auditd (logformat=RAW), audisp, LAUREL to consume slightly less CPU than auditd (logformat=ENRICHED), audisp, LAUREL + enrichment patch.

Renaming issue title.

@hillu
Copy link
Collaborator Author

hillu commented Dec 19, 2021

Closing issue after merging #61

@hillu hillu closed this as completed Dec 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant