Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751500AbWCXAoM (ORCPT ); Thu, 23 Mar 2006 19:44:12 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751503AbWCXAoM (ORCPT ); Thu, 23 Mar 2006 19:44:12 -0500 Received: from pproxy.gmail.com ([64.233.166.176]:5491 "EHLO pproxy.gmail.com") by vger.kernel.org with ESMTP id S1751500AbWCXAoM (ORCPT ); Thu, 23 Mar 2006 19:44:12 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=QMhh5le282LrSc05M7QQ8bb31beu5U6eRKQTW8OaHO/ehKD50BvbZuFS+J64L//r3M4MPg++Ue5NfU7dUg1z7E3Z/WIXJl6dQBFRqZz5Mx1ov0WDTSriIwRomX8mc40ubXiHQAQ3dlllIufNsiplO5W1R8GWSDF4XVyOVx4ZvXU= Message-ID: <44234115.7010303@gmail.com> Date: Fri, 24 Mar 2006 08:45:09 +0800 From: Yi Yang User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Arjan van de Ven CC: LKML , Andrew Morton Subject: Re: [2.6.16 PATCH] Connector: Filesystem Events Connector References: <44216612.3060406@gmail.com> <1143101844.3147.9.camel@laptopd505.fenrus.org> In-Reply-To: <1143101844.3147.9.camel@laptopd505.fenrus.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1227 Lines: 32 Arjan van de Ven wrote: > On Wed, 2006-03-22 at 22:58 +0800, Yi Yang wrote: > >> This patch implements a new connector, Filesystem Event Connector, >> the user can monitor filesystem activities via it, currently, it >> can monitor access, attribute change, open, create, modify, delete, >> move and close of any file or directory. >> > > > how is this not redundant functionality with the audit subsystem ? > If you open Audit option, audit subsystem will audit all the syscalls, so it adds big overhead for the whole system, but Filesystem Event Connector just concerns those operations related to the filesystem, so it has little overhead, moreover, audit subsystem is a complicated function block, it not only sends audit results to netlink interface, but also send them to klog or syslog, so it will add big overhead. I think you can look File Event Connector as subset of audit subsystem, but File Event Connector is a very lightweight subsystem. > > > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/