Additional Options in the Configuration Rule File

If the rule file includes these options, the following criteria must be satisfied:

• source-type must have a valid log type; cannot be empty

  source_type= is used to limit regexp filters to logs of specific source type.

  For example,

  source_type=LogLogic Appliance

• Match pattern must be valid; cannot be empty

  match= <unique string matching part of the log message>

  The “match” can be used and validated only when written as “match=”. If you use “match” only (without =), then it will not be validated.

  This will apply the matching string to each log. Only those logs containing the string will be tested against the regular expression. The match option is very helpful when the regexp gets complicated.

  For example,

  match=action:login;status:success;

• forwardall

  To enable all logs to be forwarded to the destination, use the forwardall option. This option is required with shred/replace, when there is no regexp/template in the rule.

  Warning: Multiple rules can refer to the same configuration rule file. If you overwrite the configuration file, all rules referencing to that configuration file will be affected. Therefore, when creating a configuration rule file, always use a different file name to preserve an existing rule file and keep a copy of all configuration rule files that have been uploaded.