[syslog-ng] Question on syslog-ng filtering and performance - host vs. netmask
Gergely Nagy
algernon at balabit.hu
Fri Dec 2 23:18:05 CET 2011
<jrhendri at maine.rr.com> writes:
> I used to (still do in some cases) filter like this:
>
> filter f_one_list {
> host("10.0.0.1") or
> host("10.0.2.1") or
> ...
> host("10.3.4.5");
> }
>
>
> Since (too) many log sources break the RFC and put all kinds of strangeness in the "header", I started using netmask instead:
>
> filter f_another_list {
> netmask("10.0.0.1/32") or
> netmask("10.0.2.1/32") or
> ...
> netmask("10.3.4.5/32");
> }
>
> My question is this - Is there a measurable performance difference from one to another?
> "intuitively" it would seem doing the netmask check should be faster than parsing the syslog header, but I thought I'd ask here.
The header will be parsed anyway, but the netmask check is, indeed
faster: instead of a string comparsion, it does only a numeric
comparsion, on less data.
At ~4000 messages / sec, it shouldn't make much of a difference though
(but that's just my gut feeling). Nevertheless, netmask should be
slightly faster, if I'm reading the code right.
--
|8]
More information about the syslog-ng
mailing list