[syslog-ng] Question on syslog-ng filtering and performance - host vs. netmask

jrhendri at maine.rr.com jrhendri at maine.rr.com
Thu Dec 1 18:55:51 CET 2011


Hi,

  I am using syslog-ng to do log collection and "routing" to different destinations based on the origin of the log.

I used to (still do in some cases) filter like this:

filter f_one_list {
  host("10.0.0.1") or
  host("10.0.2.1") or
  ...
  host("10.3.4.5");
}


Since (too) many log sources break the RFC and put all kinds of strangeness in the "header", I started using netmask instead:

filter f_another_list {
  netmask("10.0.0.1/32") or
  netmask("10.0.2.1/32") or
  ...
  netmask("10.3.4.5/32");
}

My question is this - Is there a measurable performance difference from one to another?
"intuitively" it would seem doing the netmask check should be faster than parsing the syslog header, but I thought I'd ask here.

(currently I have some servers processing 4000+ messages per second with no real problem, but the CPUs are clearly busy.

BTW - I am using 3.2.4 at the moment (looking at moving to the multi-threaded newer versions in the future)


Thanks!
Jim Hendrick





More information about the syslog-ng mailing list