Full Isilon Protocol Auditing

Question

Hi All,

Current audit settings on the Isilon:

# isi audit settings view
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security, close
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: No
#

The Isilon documentation does not provide the implications (if any), when full protocol auditing is enabled.
Does anybody know if the performance and storage capacity of the Isilon cluster is affected by enabling full protocol auditing?

Thanks

DELL-Sam L · Answer

Hello ronanb, Here is a link to a KB that may help. https://dell.to/3kiTeTK

tenortim · Answer

In the immortal words of Robert Heinlein, TANSTAAFL (there ain't no such thing as a free lunch). Or in other words, because of the nature of auditing (by definition, it operates inline with client-initiated operations and therefore generates additional latency), every additional operation that is audited has a performance impact.

It is very hard to give hard and fast guidelines because the impact is highly dependent on the nature of the workflow and the capabilities of the cluster. For example, enabling full auditing on an F800 cluster with a light load will generate a much lower impact than attempting to do the same on heavily-loaded A2000 nodes.

Now, all that said, some of the audit types that are not enabled by default will be very expensive. Auditing every read, write or close will generally have significant impact and caution is advised. It will have a noticeable performance impact and it will generate significantly more audit data. It is supported, it does work, but it is not free.

Tim

Isilon

Full Isilon Protocol Auditing

Was this post helpful?