On 2016-03-02 18:37, Per Jessen wrote:
Anton Aylward wrote:
In a corporate setting logging of activity is important. But writing to a file is slow. Some of the higher end activity analysers used by, for example, banks, to detect suspicious (read: 'nefarious') activity end up writing to a database. perhaps that's faster.
Almost certainly not. It's the same data that needs to end up on disk, adding a database to the mix will slow it down, but make analysis and structured access easier.
That's it. It is machine reading without needing to parse the results what is faster, because it is already "parsed", so to speak. In fact, reading (dumping) the systemd journal is terribly slow because (educated guess) heavy on disk fragmentation. Unless the HD is an SSD.
The whole idea of the journald is that it is faster to have the events logged a binary and only translated to human readable when needed.
Anton, it's a bit early for april fools. Most stuff logged to syslog comes in text format anyway. I am not sure what the whole idea of systemd was or is or was meant to be, but it was certainly about not speed for corporate settings.
It would be faster writing if you write in the exact same format as the log entries exist internally before being written. There is a timestamp, binary, a facility/priority field, a number, pid, a number, and the rest is text (the log entries plus names) at variable size. All that is adapted for storage in a database, and the text compressed. Can't be faster. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)