Hi,
I am start writing many stream for alerts. Usually, a stream is a combination of many rules. Is there any performance difference between by using mutliple rules and regular expression for matching mutliple conditions .
for example: if i want to create a stream for matching the message with string “XXX” or “YYY”. creating of 2 rules for match each string or creating 1 rule only and use regular expression to match these 2 strings?
it depends … but exact matches will be faster than running regex. as a simple rule to follow.
And is the order of rule important ?
Does the first rule need to be the most specific to drop useless logs ?
Does Graylog reordonate rules ?
Does Graylog reordonate rules ?
yes - least cost first.
And there I was carefully adding my rules from most-specific to least-specific for the ‘match all’ rulesets…
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
