On Mon, Dec 7, 2020 at 8:34 PM Richard Guy Briggs <[email protected]> wrote: > On 2020-12-07 18:28, Steve Grubb wrote:
... > > Other metrics would be good. I'd like to see a max_backlog to know if we are > > wasting memory. It would just record the highwater mark since auditing was > > enabled. > > That would be covered with this issue: > https://github.com/linux-audit/audit-kernel/issues/63 For those who haven't clicked on the GH issue above, increasing the queue depth doesn't result in wasted memory; memory is allocated as needed and released when it is no longer used. Simply increasing the backlog size doesn't increase the amount of memory used in the kernel by audit until the backlog queues start to fill. Once the backlog is cleared by auditd then the memory is released. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
