Using regex in relay rules
The more sophisticated relay rules use information contained within the inbound syslog event to identify, classify, and process the event.
This is when regular expressions, or regex, come in very handy. A regex is a sequence of characters that define a search pattern. The regex sequence can define capturing groups, or parts of the pattern that you want to be able to reference. A capturing group is identified by eclosing the relevent part of the regex pattern in parenthesis and referenced using the Devo backreferences described in this article. The regex is applied to text with the goal of identifying matching patterns. When a match is found, it then becomes possible to validate, identify, or replace key information.
Read more about regular expressions in the Wikipedia.
In the case of a relay rule, regex can be used in the Source Message or Source Data fields of the rule editor to reflect patterns expected in the inbound events. In these patterns, capturing groups can be employed to identify key source values that can be backreferenced for event rule processing. For example, when you want to use a syslog message component to form part of the Devo tag. To do this, you need to use a Devo backreference.
Capturing groups set in regex in the Source Message or Source Data fields can be referenced from the Target Tag and Target Message fields using a syntax created by Devo and based upon standard backreferences in regex.
|\\D0||Matches the entire syslog message component as it was received by the relay.|
|\\D1||Matches the first capturing group in the regex.|
|\\D2||Matches the second capturing group in the regex.|
|\\Dn||Matches the nth capturing group in the regex.|
A typical regex use case
A common use of regex in a relay rule is when you need to use data contained in the inbound event to build levels of the event source's tags. For example, let's say we have a data source that generates a few different types of events, and each event should be assigned a tag where the event type is the third level of the tag. Like this: technology.brand. eventtype
This data source generates events using a pattern where the event type is described by the string that sits between the third and fourth commas in the event. In this case, the following regex, which is entered in the Source Message field, accurately describes the beginning of the event, sets the event type value as a capturing group, then essentially ignores whatever happens after the event type until the end of the event.
In order to reference the capturing group from the Target Tag field, we the Devo backreference \\D1.
This rule example is just a placeholder but there are several examples of actual Devo tags that work this way. You can have a look at Scenario 4: Assign dynamic Devo tag using inbound source data and the Devo tag firewall.paloalto for further illustration of this use of regex and Devo backreferences.