Scenario 3: Filter out unwanted events
Some data sources generate events that contain less valuable information and which you prefer not to forward to Devo. In these cases, you can use a relay rule to identify and drop these events. For this to be possible, you need to be able to specify exactly how the relay can recognize which events it should drop. There are a few possibilities:
- By the syslog tag - You can specify this in the Source Tag field
- By content found within the syslog header or message - You can specify this in using text or regex in the Source Message or Source Data fields
- By the syslog level or facility - You can specify this in the Source Level or Facility fields in the Advanced parameters section of the rule
Once you define the conditions that identify the events you want o filter out, select Drop Event and Stop Processing to finish the rule.
Create the rule
- Identify the Source Port on which the relay will receive the inbound events. Again, it is a best practice to dedicate a single port to a single event source.
- Enter the regular expression in the Source Data field.
- Select both Drop Event and Stop Processing.
Take for example...
Bluecoat ProxySG can generate comment-style headers in log files that are not useful to send to Devo. These lines begin with a # and we can use a regular expression to identify that. So, the rule below drops all events received on port 13005 and start with #. Because Stop Processing is selected, events that meet the rule criteria will not be subjected to processing by subsequent rules. This is good practice for all rules that are designed to filter out (or drop) events.
To learn about the fields in the relay rule form, check out the Defining a relay rule article.