1 The queue data structure can keep data only in memory, only on disk
2 (writing it to disk and reading from disk), or in both (writing everything
3 to disk, but reading from disk only data stored in a previous run).
4 audisp-remote will use the last option for performance.
6 The queue file format starts with a fixed header, followed by an array
7 of slots for strings. Due to the fixed size of each slot the file format
8 is rather inefficient, but it is also very simple.
10 The file is preallocated and the string slots will be aligned to a 4KB
11 boundary, so it should be necessary to only write one block to disk
12 when audisp-remote receives a (short) audit record.
14 With the default queue size of 200 items the file will be about 2.4
15 megabytes large, which is probably not really worth worrying about.
17 If necessary, the space utilization could be improved by storing strings
18 consecutively instead of using pre-arranged slots.
20 The queue file format is intended to be resilient against unexpected
21 termination of the process, and should be resilient against unexpected
22 system crash as long as the OS does not reorder writes (the string data
23 is written before the header that indicates that it is present) - but
24 ultimately resiliency against such failures is limited by other
25 links in the audit record transmission chain - if the record is lost
26 within auditd or audispd, having a resilient queue file format does
27 not help; audit records generated within the kernel are necessarily
28 lost if the system crashes before they are read by auditd because
29 the kernel will not be able to regenerate/retransmit them after the next
projects / platform / upstream / audit.git / blob