Scenario 1: Apply a fixed tag to all events
The simplest scenario involves assigning a single, fixed Devo tag to all events that are received on a given relay port. For this rule, we only need to specify the Source port and the Target tag.
Create the rule
- Identify the Source port on which the relay will receive the inbound events. It is good practice to dedicate a single port to a single event source.
- Enter the Devo tag in the Target tag field.
- (optional) Select the Stop processing checkbox if you don't want the event to be subject to any subsequent relay rules. If this is the only rule that will run on events received on the specified port, this is not necessary.
Take for example...
The rule for processing log events sent from the Bluecoat ProxySG fits this scenario. The events will be received on port 13005 and the Devo tag to apply to these events is proxy.bluecoat.proxysg. Sent without syslog tag is selected because the inbound events do not contain syslog tags in the headers. Since Stop processing is not selected, we can assume that this port is reserved exclusively for the Bluecoat ProxySG events so no other rules are going to be applied to these events.
To learn about the fields in the relay rule form, check out the Defining a relay rule article.