[syslog-ng] Question on syslog-ng filtering and performance - host vs. netmask

Gergely Nagy algernon at balabit.hu
Fri Dec 2 23:18:05 CET 2011


<jrhendri at maine.rr.com> writes:

> I used to (still do in some cases) filter like this:
>
> filter f_one_list {
>   host("10.0.0.1") or
>   host("10.0.2.1") or
>   ...
>   host("10.3.4.5");
> }
>
>
> Since (too) many log sources break the RFC and put all kinds of strangeness in the "header", I started using netmask instead:
>
> filter f_another_list {
>   netmask("10.0.0.1/32") or
>   netmask("10.0.2.1/32") or
>   ...
>   netmask("10.3.4.5/32");
> }
>
> My question is this - Is there a measurable performance difference from one to another?
> "intuitively" it would seem doing the netmask check should be faster than parsing the syslog header, but I thought I'd ask here.

The header will be parsed anyway, but the netmask check is, indeed
faster: instead of a string comparsion, it does only a numeric
comparsion, on less data.

At ~4000 messages / sec, it shouldn't make much of a difference though
(but that's just my gut feeling). Nevertheless, netmask should be
slightly faster, if I'm reading the code right.

-- 
|8]



More information about the syslog-ng mailing list