Re: [Fed-Talk] Auditing crushed by VMware
Re: [Fed-Talk] Auditing crushed by VMware
- Subject: Re: [Fed-Talk] Auditing crushed by VMware
- From: "O'Donnell, Dan" <email@hidden>
- Date: Tue, 13 Nov 2012 16:20:21 +0000
- Thread-topic: [Fed-Talk] Auditing crushed by VMware
What are the classes and/or events being affected and listed?
-----Original Message-----
Date: Monday, November 12, 2012 7:43 PM
Subject: [Fed-Talk] Auditing crushed by VMware
>Hi guys,
>
>I first noticed this problem yesterday and did some simple tests while
>working today: running a guest OS can seriously change the amount of
>audit data your system generates (I keep my fidelity pretty high).
>Yesterday I went from my normal of about 1 Gig per day to 2 Gigs per hour!
>
>Below is a chart of today hourly audit log sizes. The small bars are my
>typical hourly levels. The first four tall bars are when I was running
>one guest OS. Clearly that is a *huge* spike from my normal audit data.
>The second set of 3 tall bars was when I was running two guest OSes. The
>guest OSes were mostly sitting idle (my whole machine was idle the last 2
>hours).
>
>So if you are running high fidelity auditing and run VMware, be aware of
>what it can do to your auditing system. I'll look at some work arounds
>over the next few days.
>
>
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden