[syslog-ng] [RFC]: Pattern matching & corellation ideas

[Gergely Nagy]

Peter Gyongyosi <gyp at balabit.hu> writes:

> 3) What about pattern hierarchy == efficient matching?

Another thing that just popped in my mind: it wouldn't be much effort to
teach the generator to be able to generate different code when optimised
for best-case scenario and for worst-case scenario.

For example, lets consider that we have sshd logs running through the
parser, and our rule wants to process the successful login events.

Worst case scenario: we have a lot of failed logins. If it's a locked
down system with one or two users only, who rarely log in, then there
may very well be far more failed logins.

So in this case, we'd want the algorithm to eliminate failing matches
ASAP. Since we know the length of the line, and the minimum length of a
successful login, we can already skip any message shorther than that
with a simple integer comparsion.

However, in the best case, when most logs are succesful logins, this
would be a waste of time.

So if we can tell the compiler which scenario to optimise against, that
can boost performance too. And this is something that's reasonably easy
to do with the generator approach.

-- 
|8]