This document records a local performance envelope for LogLens. It is a reviewer aid, not a throughput guarantee or service-level objective.
The benchmark measures the offline CLI path:
- parse sanitized
syslog_legacyinput - normalize events and parser warnings
- run the default detector configuration
- write
report.mdandreport.json
CSV export was not enabled.
| Field | Value |
|---|---|
| Date | 2026-06-21 |
| OS | Microsoft Windows 11, version 10.0.26200, build 26200 |
| CPU | AMD Ryzen 9 7940HX with Radeon Graphics |
| Logical processors | 32 |
| RAM | 31.2 GB |
| Shell | PowerShell 7.5.5 |
| Build | CMake Release build |
| Executable | build\Release\loglens.exe |
| Result source | scripts/benchmark-performance-envelope.ps1 default run |
The input corpus is generated by
scripts/benchmark-performance-envelope.ps1
under build/performance-envelope/. Generated files are not committed.
The synthetic input uses sanitized syslog-style records only:
bench-host-*hostnames- documentation-range
203.0.113.xsource IPs - synthetic
userNNNusernames - timestamps one second apart, starting at
2026-03-10 00:00:00 - an eight-line cycle of SSH failure, SSH success, sudo, PAM auth failure,
unsupported SSH preauth close, unsupported SSH timeout, session-opened, and
sufailure evidence
The resulting report shape is intentionally mixed:
- 75% parsed lines
- 25% parser warnings
- stable parser warning buckets for unsupported SSH preauth and timeout lines
- 50 top-level findings in each measured size
This shape exercises parser coverage telemetry and report writing without using real authentication data.
Reproduction command:
pwsh -File scripts/benchmark-performance-envelope.ps1For a quick smoke run:
pwsh -File scripts/benchmark-performance-envelope.ps1 -LineCounts 1000 -Runs 1 -WarmupRuns 0 -SkipBuildCommand shape:
build\Release\loglens.exe --mode syslog --year 2026 <input.log> <output-dir>For each line count:
- one warmup run was excluded from the table
- five measured runs were recorded
- elapsed time is wall-clock process time
- peak memory is the maximum observed process working set sampled by the benchmark harness
- input generation time is excluded
- the harness writes
results.jsonandsummary.jsonunderbuild/performance-envelope/
| Input lines | Parsed lines | Parser warnings | Findings | Median elapsed | Elapsed range | Peak working set |
|---|---|---|---|---|---|---|
| 1,000 | 750 | 250 | 50 | 67.95 ms | 65.45-68.32 ms | 6.00 MB |
| 10,000 | 7,500 | 2,500 | 50 | 98.14 ms | 94.80-231.86 ms | 12.77 MB |
| 100,000 | 75,000 | 25,000 | 50 | 697.10 ms | 686.41-761.98 ms | 99.81 MB |
The measured envelope is comfortably interactive for 100k-line local review on this machine. The largest run completed in less than one second and stayed under 100 MB peak working set.
The numbers should be read as a regression reference for this input shape. They are not a claim about all Linux authentication logs. Runtime and memory can change with:
- larger finding evidence windows
- substantially different unsupported-line ratios
- CSV export
- slower storage
- debug builds
- background load on the host
Parser observability remains part of the measured path: unsupported lines are reported as warnings and telemetry rather than being silently dropped.