[syslog-ng] [RFC] value-pairs(), take #3
Evan Rempel
erempel at uvic.ca
Mon Feb 7 18:55:00 CET 2011
Matthew Hall wrote:
> On Mon, Feb 07, 2011 at 08:54:46AM -0800, Evan Rempel wrote:
>> I think that you are approaching this as a filter of the keys.
>> When doing this the first filter that "matches" the key is the one that
>> actually determines if the key is included or not.
>>
>> I approach this as a set theory specification. In set theory, it is
>> the last item that determines if a key is included.
>>
>> Both are equally flexible and non-ambiguous. My preference for this
>> type of task is to use set theory. I view this as building a set of
>> keys to place into the output template.
>
> I think it was done that way for performance reasons.
>
> If you are trying to process thousands of messages per second, you want
> to use a rulechain, and have the key rules as high as possible up the
> chain as you can manage.
>
> Just like setting up ACL chains in a router.
The performance turns out to be the same because with set theory, you
just process the list in the opposite order with the first match
short circuiting the search.
--
Evan
More information about the syslog-ng
mailing list