[syslog-ng]how to write efficient filters?
Balazs Scheidler
syslog-ng@lists.balabit.hu
Thu, 16 Dec 2004 14:07:49 +0100
On Thu, 2004-12-16 at 10:42, Timothy Webster wrote:
> Which is more efficient?
>
> filter f_pop_acc { program("pop3") and match("not have pop"); };
> filter f_mail { facility(mail); };
>
> log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
>
>
> or
>
> filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); };
> log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
>
> Sorry too lazy to look at the code :)
I think it should be about the same. The first one traverses a linked
list of filters and breaks out the loop if a filter does not match, the
second uses the parse tree generated by the config parser, using C's &&
operator, which similarly does lazy evaluation.
--
Bazsi