Additional Options in the Configuration Rule File
It is good practice to add additional options (such as, source_type, match) in the configuration rule file, that will help filter log messages faster and speed up the performance.
If the rule file includes these options, the following criteria must be satisfied:
- source-type must have a valid log type; cannot be empty
source_type= is used to limit regexp filters to logs of specific source type.
For example,
source_type=LogLogic Appliance
- Match pattern must be valid; cannot be empty
match= <unique string matching part of the log message>
The “match” can be used and validated only when written as “match=”. If you use “match” only (without =), then it will not be validated.
This will apply the matching string to each log. Only those logs containing the string will be tested against the regular expression. The match option is very helpful when the regexp gets complicated.
For example,
match=action:login;status:success;
- forwardall
To enable all logs to be forwarded to the destination, use the forwardall option. This option is required with shred/replace, when there is no regexp/template in the rule.
Warning: Multiple rules can refer to the same configuration rule file. If you overwrite the configuration file, all rules referencing to that configuration file will be affected. Therefore, when creating a configuration rule file, always use a different file name to preserve an existing rule file and keep a copy of all configuration rule files that have been uploaded.