Sizing the audit queue

The size of the audit queue can be set by a system security officer. The default configuration is as follows:

There are trade-offs in sizing the audit queue, as shown in Figure 5-5.

If the audit queue is large, so that you do not risk having user processes sleep, you run the risk of losing any audit records in memory if there is a system failure. The maximum number of records that can be lost is the maximum number of records that can be stored in the audit queue.

If security is your chief concern, keep the queue small. If you can risk the loss of more audit records, and you require high performance, make the queue larger.

Increasing the size of the in-memory audit queue takes memory from the total memory allocated to the data cache.

Figure 5-5: Trade-offs in auditing and performance

Image shows how a process sleeps when the audit queue is full, and waits for more space to be available.  The audit records that are currently in the audit queue are lost if the system crashes.