What is the fastest way to monitor linux system calls and log them to a file?
This post has some great info:
It's seems that the Audit subsystem is the way to go, Problem is that when you monitor ALL system calls (auditctl -a exit,always -S all) your OS become way too overwhelmed and everything works slow.
Increasing the buffer size in audit.rules didn't help much.
Is there any other way that will give reasonable performance and won't choke the OS?
I'm thinking about writing my own Kernel Module that will use LSM api to hook system calls. Do you think it will do better then the audit subsystem (which uses many filters/formatting that might add unnecessary overhead)
Best Answer
Check out perf and sysdig. Solid introspection with minimal system impact.