[syslog-ng] Which way is better/faster
Gergely Nagy
algernon at balabit.hu
Thu Dec 6 01:06:34 CET 2012
Anton Koldaev <koldaevav at gmail.com> writes:
> Let's imagine we have one source with some logs:
> 80% - normal messages (all messages)
> 20% - specific messages (some complex regex)
>
> Normal messages filter includes specific messages.
>
> We need to put these messages into separate files.
> Which way will give more performance?
>
> 1.
> log(source(s),filter(non-specific),destination(normal),flags(final))
> log(source(s),destination(specific),flags(final))
While I have not done performance measurements, I believe this would be
the fastest, because it has only one filter, while all the rest has two,
and the others also include the non-specific filter.
> 2.
> log(source(s),filter(specific),destination(specific))
> log(source(s),filter(normal),destination(normal),flags(final))
This would run every message through both filters - definitely slower
than using only one filter.
> 3.
> log(source(s),filter(normal),destination(normal))
> log(source(s),filter(specific),destination(specific),flags(final))
Same as above.
--
|8]
More information about the syslog-ng
mailing list