[lttng-dev] Pros and Cons of LTTng

Jonathan Rajotte-Julien jonathan.rajotte-julien at efficios.com
Tue Jul 16 10:28:32 EDT 2019


Hi Hai,

On Tue, Jul 16, 2019 at 10:19:38AM +0800, 杨海 wrote:
> Obviously LTTng has much lower overhead compared to auditd, when we turn on
> all system calls and use the same load. Is it true for both user space and
> kernel space?

lttng-ust (userspace tracer) mostly use the same concept as the kerneltracer
(per-cpu ring buffers, binary output/CTF, delayed consumption of events, etc.).
There is some penalty for doing things in userspace since we need some
information from the kernel for each tracepoint hit (e.g the current cpu
number). But again most of these hot paths are quite optimized.

In any case I encourage you to try it out on your workload and lttng fit your
needs.

If you do not find a particular feature in the doc [1], do not hesitate to contact
this mailing list for more information.

>So far I haven't seen any report compare LTTng and auditd,
> anyone knows?

I do not remember any conversation on this topic. After reading a bit on auditd,
lttng might be a good replacement depending on your constraints and needs.

[1] https://lttng.org/docs/v2.10/

Cheers
-- 
Jonathan Rajotte-Julien
EfficiOS


More information about the lttng-dev mailing list