or do you only enable a subset of audit events for things you truly care about (e.g.

process_event

)

it really depends on how busy the host will be and how many syscalls will be generated

Is there a way I can understand the perf impact of enabling these?