Yeah, I was only monitoring something like a dozen or two syscalls. Just the basics of process creation, changing the system clock, file opens, and the like that, but it was really hammering the logs when ir wqs creating and destroying processes at the rate some of these apps do it.

I backed off on the auditd side and switched to other tactics. I don't have enough money to have a disk cluster made up of 150 TB of SSDs.