Adjusting audit performance parameters
Collection Parameters Modify.
Use <Tab> to move between parameters.
For a discussion of performance issues, see
You can alter these parameters:
Write to disk every [ ] bytes
Write to disk every [ ] seconds
These two parameters control the frequency with which audit data is
written synchronously to the audit collection file from the internal audit
buffers. Flushing can be controlled either by the amount of data that
accumulates before writing or after a specific time interval. The
latter is valuable when small amounts of data are generated and the frequency
of the record generation is spread out over time. You can specify both byte
count and time-lapse flushing. The time interval is always specified in
Performance may be adversely affected through a poor choice of either value.
Writing too frequently slows the system with excessive I/O
traffic. On the other hand, when these values are too large, the potential
for data loss increases if the system crashes. A good rule of thumb is to
flush each time a single internal buffer fills. Thus, setting the flush-byte
count to 1024 (the size of an internal buffer) is usually sufficient.
Wake up daemon every [ ] bytes
This parameter controls the audit daemon. This daemon continually reads
the audit device and retrieves records written to the collection files.
These records are then compacted and written to compaction files which can
later be reduced. To maximize the effectiveness of the compaction algorithm,
the daemon needs to read blocks of data between 4KB
and 5KB. This
requires special handling by the subsystem because a typical process read
returns when any data is available rather than waiting for a specified amount
of data to accumulate. For maximum effectiveness, this parameter should
be left at the default value of 4KB. Values
greater than 4KB will not yield significant improvement.
Number of collection buffers
This specifies the number of collection buffers for the
subsystem to use. It uses these internal collection buffers to gather audit
data for writing to the collection file. Multiple buffers are used to
increase the efficiency of the system because all processes essentially share
the buffer space attempting to write records. By providing multiple buffers,
processes can deposit records and continue execution without blocking even if
an I/O is occurring on previous buffers. At least two buffers
are required. Most systems cannot effectively use more than 4-6 buffers to
avoid performance problems. There is no simple way to calculate the
optimum number of buffers. Generally, base this value on the expected
process load of the system.
Collection file switch every [ ] bytes
Audit output file switch every [ ] bytes
These two parameters specify the maximum size that collection and
compaction files may grow before a new file is created. Choosing a small
value for either parameter results in excessive file switches. Because
compaction files are permanent, this can also lead to a proliferation of
small files on the system. Choosing values that are too large creates a
situation where audit collection files use large amounts of disk space even
though they are partially read by the audit daemon and could otherwise
The size of audit compaction files can be controlled because
these files remain on the system until reduced and removed. It is desirable
that these files be of reasonable size
to work with, including being able to save and
restore them easily. The default value for the collection files is
50KB, and the compaction files are 1MB. Make sure that
the maximum size chosen for the compaction files does not exceed the
ulimit established for the system, which determines the
maximum size of a user file.
Compacted output files
This option is provided in case you want non-compacted audit files. There is
no compelling reason why this option should be selected because compaction
does not require large amounts of additional processing time and the
resultant disk savings are typically greater than 60 percent. The compaction
algorithm is contained in the audit daemon user process, not performed in the
kernel portion of the subsystem.
Enable audit on system startup
This option starts auditing automatically each time the system is rebooted.
This field is only displayed with the View
selection; it is set according to
whether auditing was enabled or disabled. If auditing was disabled,
then auditing is disabled at startup.
Shut down auditing on disk full
This option allows the system to shut down automatically if the system
runs out of disk space, thus avoiding data corruption.
Change parameters for this session
Change parameters for future session
These options dynamically alter the current
session and/or make the changes a permanent part of the audit parameter file
for future sessions.
Managing audit files and directories
Incomplete audit trail example
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003