The 4 predefined relay rules
There are four ports reserved for four fixed and predefined relay rules. These ports can only be used to handle the event traffic for which they were designed. They are built-into the relay and are not configurable using the Devo web application.
You should not try to set up any custom rules on any of these ports.
Receives Netflow records, applies the netstat.netflow.lt tag, then forwards them to Devo.
Use this port exclusively for Netflow records.
Receives any events that are already tagged and forwards them to Devo.
Use this port to forward events from sources that can tag their events but either don't have internet access or cannot establish a secure channel directly to Devo.
You can also use it to send events in CEF syslog format without any tag. Learn more about the technologies supported in this format here.
Receives simple syslog events from Unix-like machines, applies the box.unix tag, then forwards them to Devo.
We recommend that you use unstructured format for syslog events sent to this relay port—i.e., RFC-3164.
The Devo configuration packages for *nix are designed to facilitate the sending of events to this port.
Receives untagged syslog events from legacy Windows machines (usually via Snare), applies the box.win tag, then forwards them to Devo.
For more information, see the 2021-07-08_07-53-05_box.win_snare article.