David, thank you for clarifying this. This is all making more sense now along with your responses on the other message threads explaining other differences between rulebase and parser. Also, I must comment, that your pdf, 'log filtering with rsyslog', has been very helpful read, http://www.sclug.org/sites/www.sclug.org/files/presentations/rsyslog_filtering.pdf
I'm wondering how much has changed since publishing that... Anyway, thanks again! -Kendall On Wed, Jan 28, 2015 at 4:17 AM, David Lang <[email protected]> wrote: > On Wed, 28 Jan 2015, Kendall Green wrote: > > But I understand the number of combinations / per rule in a rulebase, >> would affect performance. >> > > This is actually not the case (at least unless you use regex types) > > This is the power of liblognorm and why it isn't just a 'typical' regex > engine > > liblognormcompiles the ruleset into a parse three. With that parse tree, > processing a message is (alost*) as simple as 'start at the beginning of > the log message, look at the first character and pick what branch to take, > look at the next character ans pick what branch to take... hit the end of > the string or the tree and you have finished parsing the message > > so it doesn't matter if a ruleset has 10 entries or 10000 entries, the > time taken to process a log message against it is the same, how long it > takes to walk the length of the message. > > David Lang > > > * The almost is because the fact that you are gathering data into tags > mean that there is a timeframe when you may be dealing with two branches of > the tree, one where the data is part of a tag, and one where it's a > constant. And the subtleties of this are why it's so useful to have this as > a library. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
