[syslog-ng] Question on syslog-ng filtering and performance - host vs. netmask

Jim jrhendri at maine.rr.com
Sat Dec 3 16:13:55 CET 2011


Thanks! - I'll change the filters (hadn't thought about the fact that
the header is parsed anyway - Thanks for the sanity check)

Jim



On Fri, 2011-12-02 at 23:18 +0100, Gergely Nagy wrote:
> <jrhendri at maine.rr.com> writes:
> 
> > I used to (still do in some cases) filter like this:
> >
> > filter f_one_list {
> >   host("10.0.0.1") or
> >   host("10.0.2.1") or
> >   ...
> >   host("10.3.4.5");
> > }
> >
> >
> > Since (too) many log sources break the RFC and put all kinds of strangeness in the "header", I started using netmask instead:
> >
> > filter f_another_list {
> >   netmask("10.0.0.1/32") or
> >   netmask("10.0.2.1/32") or
> >   ...
> >   netmask("10.3.4.5/32");
> > }
> >
> > My question is this - Is there a measurable performance difference from one to another?
> > "intuitively" it would seem doing the netmask check should be faster than parsing the syslog header, but I thought I'd ask here.
> 
> The header will be parsed anyway, but the netmask check is, indeed
> faster: instead of a string comparsion, it does only a numeric
> comparsion, on less data.
> 
> At ~4000 messages / sec, it shouldn't make much of a difference though
> (but that's just my gut feeling). Nevertheless, netmask should be
> slightly faster, if I'm reading the code right.
> 




More information about the syslog-ng mailing list