Using the Audit Manager

Adjusting audit performance parameters

In the Audit Manager, select Collection -> Parameters -> Modify. Use <Tab> to move between parameters.

NOTE: For a discussion of performance issues, see ``Performance goals''.

You can alter these parameters:

Write to disk every [ ] bytes

Write to disk every [ ] seconds
These two parameters control the frequency with which audit data is written synchronously to the audit collection file from the internal audit buffers. Flushing can be controlled either by the amount of data that accumulates before writing or after a specific time interval. The latter is valuable when small amounts of data are generated and the frequency of the record generation is spread out over time. You can specify both byte count and time-lapse flushing. The time interval is always specified in seconds.

Performance may be adversely affected through a poor choice of either value. Writing too frequently slows the system with excessive I/O traffic. On the other hand, when these values are too large, the potential for data loss increases if the system crashes. A good rule of thumb is to flush each time a single internal buffer fills. Thus, setting the flush-byte count to 1024 (the size of an internal buffer) is usually sufficient.

Wake up daemon every [ ] bytes
This parameter controls the audit daemon. This daemon continually reads the audit device and retrieves records written to the collection files. These records are then compacted and written to compaction files which can later be reduced. To maximize the effectiveness of the compaction algorithm, the daemon needs to read blocks of data between 4KB and 5KB. This requires special handling by the subsystem because a typical process read returns when any data is available rather than waiting for a specified amount of data to accumulate. For maximum effectiveness, this parameter should be left at the default value of 4KB. Values greater than 4KB will not yield significant improvement.

Number of collection buffers
This specifies the number of collection buffers for the subsystem to use. It uses these internal collection buffers to gather audit data for writing to the collection file. Multiple buffers are used to increase the efficiency of the system because all processes essentially share the buffer space attempting to write records. By providing multiple buffers, processes can deposit records and continue execution without blocking even if an I/O is occurring on previous buffers. At least two buffers are required. Most systems cannot effectively use more than 4-6 buffers to avoid performance problems. There is no simple way to calculate the optimum number of buffers. Generally, base this value on the expected process load of the system.

Collection file switch every [ ] bytes

Audit output file switch every [ ] bytes
These two parameters specify the maximum size that collection and compaction files may grow before a new file is created. Choosing a small value for either parameter results in excessive file switches. Because compaction files are permanent, this can also lead to a proliferation of small files on the system. Choosing values that are too large creates a situation where audit collection files use large amounts of disk space even though they are partially read by the audit daemon and could otherwise be discarded.

The size of audit compaction files can be controlled because these files remain on the system until reduced and removed. It is desirable that these files be of reasonable size to work with, including being able to save and restore them easily. The default value for the collection files is 50KB, and the compaction files are 1MB. Make sure that the maximum size chosen for the compaction files does not exceed the ulimit established for the system, which determines the maximum size of a user file.

Compacted output files
This option is provided in case you want non-compacted audit files. There is no compelling reason why this option should be selected because compaction does not require large amounts of additional processing time and the resultant disk savings are typically greater than 60 percent. The compaction algorithm is contained in the audit daemon user process, not performed in the kernel portion of the subsystem.

Enable audit on system startup
This option starts auditing automatically each time the system is rebooted. This field is only displayed with the View selection; it is set according to whether auditing was enabled or disabled. If auditing was disabled, then auditing is disabled at startup.

Shut down auditing on disk full
This option allows the system to shut down automatically if the system runs out of disk space, thus avoiding data corruption.

Change parameters for this session

Change parameters for future session
These options dynamically alter the current session and/or make the changes a permanent part of the audit parameter file for future sessions.

Next topic: Managing audit files and directories
Previous topic: Incomplete audit trail example

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003