[syslog-ng]how to write efficient filters?
Timothy Webster
syslog-ng@lists.balabit.hu
Mon, 20 Dec 2004 06:31:09 -0500
On Thu, 16 Dec 2004 14:07:49 +0100
Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Thu, 2004-12-16 at 10:42, Timothy Webster wrote:
> > Which is more efficient?
> >
> > filter f_pop_acc { program("pop3") and match("not have pop"); };
> > filter f_mail { facility(mail); };
> >
> > log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
> >
> >
> > or
> >
> > filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); };
> > log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
> >
> > Sorry too lazy to look at the code :)
>
> I think it should be about the same. The first one traverses a linked
> list of filters and breaks out the loop if a filter does not match, the
> second uses the parse tree generated by the config parser, using C's &&
> operator, which similarly does lazy evaluation.
>
> --
> Bazsi
thx,
-tim.