[syslog-ng]how to write efficient filters?
Roberto Nibali
syslog-ng@lists.balabit.hu
Thu, 16 Dec 2004 11:37:13 +0100
Hi,
> Which is more efficient?
Hard to say but I should like to ask you if it really matters?
> filter f_pop_acc { program("pop3") and match("not have pop"); };
> filter f_mail { facility(mail); };
>
> log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
>
> filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); };
> log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
>
> Sorry too lazy to look at the code :)
Me too but you could use ltrace or strace and count the times spent in
each library and syscall. Of course this is only an indication. To be
honest, reading your example doesn't strike me as particularly high
volume traffic. I'd say that your popd dies before syslog-ng is not able
to send your filtered traffic anymore ;).
HTH and have a nice day,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc