>Does the auditing overhead operate in a similar manner to DTrace where >the overhead is only apparent when the specific probes are enabled?
I thought it was clear from my earlier email that it was not; auditing is always expensive even if no events are generated. The reason is that auditing adds a lot of bookkeeping for a number of system calls so it can generate proper audit records for other system calls. >For example, if I am only interested in auditing exec calls, will simply >enabling auditing have an overhead on the say read and write calls or is >the overhead limited to the call being audited? Even with no events generated, auditing will slow down your system; depending on your workload the effect may or may not be very noticeable. That's one of the main challenges of always on auditing, reducing the "no event" overhead to be in the noise. Casper
