Scenario 2: Apply a Devo tag based on data found in the inbound event
Another straight-forward scenario involves assigning a fixed Devo tag based upon data contained in any part of the source event. For example, if the tag in the event's syslog header is ABC, then apply the Devo tag one.two.three. Based on where the data is contained in the source event, you can use the Source tag, Source message, or Source data field.
Create the rule
- Identify the port on which the relay will receive the inbound events. It is good practice to dedicate a single port to a single event source when possible.
- Describe the specific values to look for in the Source tag, Source message, or Source data fields. For a detailed description of these fields, see Defining a relay rule.
- Enter the Devo tag in the Target tag field.
- (optional) Select the Stop processing checkbox to prevent any further rules from processing the event if the current rule was successful. If the current rule is unsuccessful, processing will continue.
Take for example...
The rule for processing log events sent from the pfsense firewall fits this scenario. When the syslog tag of events received on port 514 is pf, then the rule applies the Devo tag firewall.pfsense.firewall. Because Stop processing is selected, the event will not be subjected to further rules if this rule is successful.
To learn about the fields in the relay rule form, check out the Defining a relay rule article.