In-house Relay rules

The In-house Relay can apply rules to log data received from data sources in order to apply tags, stop processing, or drop the event. There are four default rules that come with the standard In-house Relay, but Admin users can create new rules as needed for the Devo domain. Rules are associated with incoming ports so that, to apply a specific rule, the data source should send the log data to the corresponding port.   

Default rules

The In-house Relay comes with the following rules that are activated by default:

  • Port 12999 (UDP) -  Any device with Netflow support can send their events to this port for processing, labeling, and forwarding to Devo. 
  • Port 13000 (UDP/TCP) - Logs that come with the correct syslog tag and do not require further processing should be sent to this port.
  • Port 13001 (UDP/TCP) - Unix machines that generate traditional syslogs which cannot be natively labeled should be sent to this port, where the relay will label the logs with a box.unix tag before forwarding them to Devo.
  • Port 13002 (UDP/TCP) - Windows machines, such as Snare agents, that send logs via syslog but are unable to tag them should be directed to this port. Here the relay labels the logs with a box.win tag before forwarding them to Devo.
Port Technologies
12999 Netflow
13000 Events already tagged
13001 *Nix operating systems

13002

Old Windows agents (with the new one, events are directly sent to port 13000)

13003 Free for any device-specific rule
13004 Free for any device-specific rule
13005 Free for any device-specific rule
13006 Free for any device-specific rule
13007 Free for any device-specific rule
Any free port Free for any device-specific rule

Configuring new relay rules

The In-house Relay rules are applied to data received from data sources that do not create tags before sending. Rules can be created to recognize characteristics of the received data and, based on those characteristics, apply event tags, stop processing, drop events, and more. These rules are applied in a specific order, from top to bottom.

To configure a new rule, go to Administration → Relays:

  1. Select the relay to which you want to add a new rule.
  2. Click the ellipsis icon at the end of the row and select Edit.



  3. Select Add Rule. Enter the required information in the Rule Definition window.



    The following table describes the fields in the Rule Definition window:

    Rule Name Assign a name to the rule.
    Description Add a brief description of what the rule does.
    Source Port The rule will be applied to all data originating from this port.
    IP The rule will be applied to all data originating from this IP address.
    Hostname The rule will be applied to all data originating from this hostname.
    Is Prefix

    Select this check box if you want to conserve the syslog (source) tag received and append it following the target tag. Here's an example:

    SourceTag: web.info
    TargetTag: org5
    isPrefix: true
    Final output events tag: org5.web.info
    Stop Processing Select this check box if you want events that match this rule to undergo no further processing. That is, no subsequent rules should be applied after this rule.
    Source Tag Specify the tag prefix that will trigger the application of this rule. That is, the rule will be applied to events with this tag prefix.
    • Valid formats: (word)(.word)*. 
    Target Tag

    Specify the tag to be applied to events that meet the conditions of this rule. 

    • Valid formats: tag1.tag2.\\D1.\\D2.
    • Tags should not contain hyphens, dashes or any special characters.
    • The maximum length of the tag name is 50 characters.
    • Incorrect tag name: my.app.sf-ltrelay02.test_data
    Send without tag Select this check box if there is no %syslogtag%.
    Drop Event Select this check box if you want to drop an event if it meets the conditions of this rule, that is to say, not send it to Devo. If there are further rules to be applied during processing and you have selected Drop Event, ensure that you also select the Stop Processing option. Otherwise, the subsequent rules will be applied.

    The Source Definition (Advanced Params) fields are used to customize the performance of the TCP/UDP settings:

    Source Level The rule will only be applied to the events that are received with the syslog level you indicate here.
    Source Facility The rule will only be applied to the events that are received with the syslog facility you indicate here.
    UDP Threats Number of threads used by the UDP port.
    UDP Receive Buffer The receiving buffer size of the UDP sockets.
    Max Packet Size Maximum packet size for transmission over UDP.
    TCP Threads Number of threads used by the TCP port.
    TCP Receive Buffer The receiving buffer size of the TCP sockets.
  4. Click Add rule to save the new relay rule.

For more details about how to tag events, check the Supported technologies article.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US