[syslog-ng] Question on syslog-ng filtering and performance - host vs. netmask
jrhendri at maine.rr.com
jrhendri at maine.rr.com
Thu Dec 1 18:55:51 CET 2011
Hi,
I am using syslog-ng to do log collection and "routing" to different destinations based on the origin of the log.
I used to (still do in some cases) filter like this:
filter f_one_list {
host("10.0.0.1") or
host("10.0.2.1") or
...
host("10.3.4.5");
}
Since (too) many log sources break the RFC and put all kinds of strangeness in the "header", I started using netmask instead:
filter f_another_list {
netmask("10.0.0.1/32") or
netmask("10.0.2.1/32") or
...
netmask("10.3.4.5/32");
}
My question is this - Is there a measurable performance difference from one to another?
"intuitively" it would seem doing the netmask check should be faster than parsing the syslog header, but I thought I'd ask here.
(currently I have some servers processing 4000+ messages per second with no real problem, but the CPUs are clearly busy.
BTW - I am using 3.2.4 at the moment (looking at moving to the multi-threaded newer versions in the future)
Thanks!
Jim Hendrick
More information about the syslog-ng
mailing list