I'd like to point out a different factor: Intelligence in log analysis.
Suppose Postfix logs 30 messages per minute about a user's actions, and a
log analysis system needs 120 messages until it's sure that it can block
that user. In that case, the lack of information adds a delay of four
minutes and the slowness of the log-tailing subsystem adds a delay of a few
milliseconds. I suppose the analysis and reaction may take a second or two.
Thus, the user is able to behave badly for four minutes and a few seconds.
Bypassing the syslog makes the process one second faster. But if the
analysis is instead made more intelligent, so it makes a correct decision
using 90 instead of 120 log messages, then the process is a whole minute
faster.
Arnt
