how to write efficient filters?
Which is more efficient? filter f_pop_acc { program("pop3") and match("not have pop"); }; filter f_mail { facility(mail); }; log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc); or filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc); Sorry too lazy to look at the code :) -tim
Hi,
Which is more efficient?
Hard to say but I should like to ask you if it really matters?
filter f_pop_acc { program("pop3") and match("not have pop"); }; filter f_mail { facility(mail); };
log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
Sorry too lazy to look at the code :)
Me too but you could use ltrace or strace and count the times spent in each library and syscall. Of course this is only an indication. To be honest, reading your example doesn't strike me as particularly high volume traffic. I'd say that your popd dies before syslog-ng is not able to send your filtered traffic anymore ;). HTH and have a nice day, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
On Thu, 2004-12-16 at 10:42, Timothy Webster wrote:
Which is more efficient?
filter f_pop_acc { program("pop3") and match("not have pop"); }; filter f_mail { facility(mail); };
log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
or
filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
Sorry too lazy to look at the code :)
I think it should be about the same. The first one traverses a linked list of filters and breaks out the loop if a filter does not match, the second uses the parse tree generated by the config parser, using C's && operator, which similarly does lazy evaluation. -- Bazsi
On Thu, 16 Dec 2004 14:07:49 +0100 Balazs Scheidler <bazsi@balabit.hu> wrote:
On Thu, 2004-12-16 at 10:42, Timothy Webster wrote:
Which is more efficient?
filter f_pop_acc { program("pop3") and match("not have pop"); }; filter f_mail { facility(mail); };
log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
or
filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
Sorry too lazy to look at the code :)
I think it should be about the same. The first one traverses a linked list of filters and breaks out the loop if a filter does not match, the second uses the parse tree generated by the config parser, using C's && operator, which similarly does lazy evaluation.
-- Bazsi
thx, -tim.
participants (3)
-
Balazs Scheidler
-
Roberto Nibali
-
Timothy Webster