Skip to content

Commit 20acfec

Browse files
authored
Merge pull request #66 from stacknil/stacknil/lgl-06-performance-envelope
docs(performance): add local envelope benchmark
2 parents 10ea912 + dd2c92c commit 20acfec

3 files changed

Lines changed: 98 additions & 1 deletion

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ It parses `auth.log` / `secure`-style syslog input and `journalctl --output=shor
1111

1212
LogLens is an MVP / early release. The repository is stable enough for public review, local experimentation, and extension, but the parser and detection coverage are intentionally narrow.
1313

14-
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md) and [`docs/reviewer-brief.md`](./docs/reviewer-brief.md). For detection reasoning, read the forensic-style [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md) and the [`rule catalog`](./docs/rule-catalog.md).
14+
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md) and [`docs/reviewer-brief.md`](./docs/reviewer-brief.md). For detection reasoning, read the forensic-style [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md) and the [`rule catalog`](./docs/rule-catalog.md). For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
1515

1616
## Why This Project Exists
1717

docs/performance-envelope.md

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
# Performance Envelope
2+
3+
This document records a local performance envelope for LogLens. It is a
4+
reviewer aid, not a throughput guarantee or service-level objective.
5+
6+
The benchmark measures the offline CLI path:
7+
8+
- parse sanitized `syslog_legacy` input
9+
- normalize events and parser warnings
10+
- run the default detector configuration
11+
- write `report.md` and `report.json`
12+
13+
CSV export was not enabled.
14+
15+
## Benchmark Platform
16+
17+
| Field | Value |
18+
| --- | --- |
19+
| Date | 2026-06-21 |
20+
| OS | Microsoft Windows 11, version `10.0.26200`, build `26200` |
21+
| CPU | AMD Ryzen 9 7940HX with Radeon Graphics |
22+
| Logical processors | 32 |
23+
| RAM | 31.2 GB |
24+
| Shell | PowerShell 7.5.5 |
25+
| Build | CMake Release build |
26+
| Executable | `build\Release\loglens.exe` |
27+
28+
## Workload Shape
29+
30+
The input corpus was generated locally under `build/performance-envelope/`.
31+
Generated files are not committed.
32+
33+
The synthetic input uses sanitized syslog-style records only:
34+
35+
- `bench-host-*` hostnames
36+
- documentation-range `203.0.113.x` source IPs
37+
- synthetic `userNNN` usernames
38+
- timestamps one second apart, starting at `2026-03-10 00:00:00`
39+
- an eight-line cycle of SSH failure, SSH success, sudo, PAM auth failure,
40+
unsupported SSH preauth close, unsupported SSH timeout, session-opened, and
41+
`su` failure evidence
42+
43+
The resulting report shape is intentionally mixed:
44+
45+
- 75% parsed lines
46+
- 25% parser warnings
47+
- stable parser warning buckets for unsupported SSH preauth and timeout lines
48+
- 50 top-level findings in each measured size
49+
50+
This shape exercises parser coverage telemetry and report writing without using
51+
real authentication data.
52+
53+
## Method
54+
55+
Command shape:
56+
57+
```powershell
58+
build\Release\loglens.exe --mode syslog --year 2026 <input.log> <output-dir>
59+
```
60+
61+
For each line count:
62+
63+
- one warmup run was excluded from the table
64+
- five measured runs were recorded
65+
- elapsed time is wall-clock process time
66+
- peak memory is the maximum observed process working set sampled by the
67+
benchmark harness
68+
- input generation time is excluded
69+
70+
## Results
71+
72+
| Input lines | Parsed lines | Parser warnings | Findings | Median elapsed | Elapsed range | Peak working set |
73+
| ---: | ---: | ---: | ---: | ---: | ---: | ---: |
74+
| 1,000 | 750 | 250 | 50 | 44.66 ms | 44.47-64.96 ms | 3.10 MB |
75+
| 10,000 | 7,500 | 2,500 | 50 | 104.01 ms | 91.36-107.15 ms | 13.82 MB |
76+
| 100,000 | 75,000 | 25,000 | 50 | 635.69 ms | 588.39-796.45 ms | 99.77 MB |
77+
78+
## Interpretation
79+
80+
The measured envelope is comfortably interactive for 100k-line local review on
81+
this machine. The largest run completed in less than one second and stayed under
82+
100 MB peak working set.
83+
84+
The numbers should be read as a regression reference for this input shape. They
85+
are not a claim about all Linux authentication logs. Runtime and memory can
86+
change with:
87+
88+
- larger finding evidence windows
89+
- substantially different unsupported-line ratios
90+
- CSV export
91+
- slower storage
92+
- debug builds
93+
- background load on the host
94+
95+
Parser observability remains part of the measured path: unsupported lines are
96+
reported as warnings and telemetry rather than being silently dropped.

docs/reviewer-path.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ This path is for reviewers who want to understand LogLens quickly without readin
1212
| How do rules use evidence? | [`docs/rule-catalog.md`](./rule-catalog.md) | Can explain grouping keys, windows, thresholds, and unsupported-evidence boundaries |
1313
| Can the parser behavior be trusted? | Parser contract, fixture matrix, and parser coverage fields | Can see known, unknown, and malformed line handling |
1414
| How should a finding be interpreted? | [`docs/case-study-linux-auth-bruteforce.md`](./case-study-linux-auth-bruteforce.md) | Can trace raw evidence to normalized events, findings, warnings, and non-goals |
15+
| How does it behave on larger local inputs? | [`docs/performance-envelope.md`](./performance-envelope.md) | Can state the local 1k/10k/100k-line envelope and its caveats |
1516

1617
## 30-second orientation
1718

0 commit comments

Comments
 (0)