Skip to content

Latest commit

 

History

History
112 lines (83 loc) · 3.5 KB

File metadata and controls

112 lines (83 loc) · 3.5 KB

Performance Envelope

This document records a local performance envelope for LogLens. It is a reviewer aid, not a throughput guarantee or service-level objective.

The benchmark measures the offline CLI path:

  • parse sanitized syslog_legacy input
  • normalize events and parser warnings
  • run the default detector configuration
  • write report.md and report.json

CSV export was not enabled.

Benchmark Platform

Field Value
Date 2026-06-21
OS Microsoft Windows 11, version 10.0.26200, build 26200
CPU AMD Ryzen 9 7940HX with Radeon Graphics
Logical processors 32
RAM 31.2 GB
Shell PowerShell 7.5.5
Build CMake Release build
Executable build\Release\loglens.exe
Result source scripts/benchmark-performance-envelope.ps1 default run

Workload Shape

The input corpus is generated by scripts/benchmark-performance-envelope.ps1 under build/performance-envelope/. Generated files are not committed.

The synthetic input uses sanitized syslog-style records only:

  • bench-host-* hostnames
  • documentation-range 203.0.113.x source IPs
  • synthetic userNNN usernames
  • timestamps one second apart, starting at 2026-03-10 00:00:00
  • an eight-line cycle of SSH failure, SSH success, sudo, PAM auth failure, unsupported SSH preauth close, unsupported SSH timeout, session-opened, and su failure evidence

The resulting report shape is intentionally mixed:

  • 75% parsed lines
  • 25% parser warnings
  • stable parser warning buckets for unsupported SSH preauth and timeout lines
  • 50 top-level findings in each measured size

This shape exercises parser coverage telemetry and report writing without using real authentication data.

Method

Reproduction command:

pwsh -File scripts/benchmark-performance-envelope.ps1

For a quick smoke run:

pwsh -File scripts/benchmark-performance-envelope.ps1 -LineCounts 1000 -Runs 1 -WarmupRuns 0 -SkipBuild

Command shape:

build\Release\loglens.exe --mode syslog --year 2026 <input.log> <output-dir>

For each line count:

  • one warmup run was excluded from the table
  • five measured runs were recorded
  • elapsed time is wall-clock process time
  • peak memory is the maximum observed process working set sampled by the benchmark harness
  • input generation time is excluded
  • the harness writes results.json and summary.json under build/performance-envelope/

Results

Input lines Parsed lines Parser warnings Findings Median elapsed Elapsed range Peak working set
1,000 750 250 50 67.95 ms 65.45-68.32 ms 6.00 MB
10,000 7,500 2,500 50 98.14 ms 94.80-231.86 ms 12.77 MB
100,000 75,000 25,000 50 697.10 ms 686.41-761.98 ms 99.81 MB

Interpretation

The measured envelope is comfortably interactive for 100k-line local review on this machine. The largest run completed in less than one second and stayed under 100 MB peak working set.

The numbers should be read as a regression reference for this input shape. They are not a claim about all Linux authentication logs. Runtime and memory can change with:

  • larger finding evidence windows
  • substantially different unsupported-line ratios
  • CSV export
  • slower storage
  • debug builds
  • background load on the host

Parser observability remains part of the measured path: unsupported lines are reported as warnings and telemetry rather than being silently dropped.