Document toolboxDocument toolbox

How to set up the Devo Relay

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jun 07, 2022 by Former user (Deleted)
3 min read
[ 1 Proposal of rules, ports, and Devo tags ] [ 2 How to define a new Devo Relay rule ]

A relay rule evaluates an inbound event by the port it was received on and any other source criteria defined in the rule. When the criteria are met, the rule dictates how the event should be processed. Usually, this means applying a specific Devo tag or filtering out events that don't need to be sent to Devo.

To handle a few common inbound event types, all in-house relays have four predefined rules. Three of these are designed to receive events from specific sources incapable of applying tags, and the fourth rule simply acts as a forwarder for events that are already tagged. These predefined rules use ports 12999-13002. This means you cannot use these ports to set up custom rules. 

Proposal of rules, ports, and Devo tags

We at Devo encourage you to use this proposed combination of Devo rules, ports, and tags for each NSS feed to understand how it works. For custom configurations, such as creating two feeds from the same NSS Feed with different filters for each, you will need to create your own TCP port map.

NSS feed

Devo In-House Relay port

Devo tag

NSS feed

Devo In-House Relay port

Devo tag

Alerts

13003

proxy.zscaler.zia.alert.syslog

Web Logs

13004

proxy.zscaler.zia.web.json

DNS Logs

13005

proxy.zscaler.zia.dns.json

Firewall Logs

13006

proxy.zscaler.zia.firewall.json

Tunnel Logs

13007

proxy.zscaler.zia.tunnel.json

SaaS Security Logs - Collaboration

13008

proxy.zscaler.zia.saas_collaboration.json

SaaS Security Logs - CRM

13009

proxy.zscaler.zia.saas_crm.json

SaaS Security Logs - Email

13010

proxy.zscaler.zia.saas_email.json

SaaS Security Logs - File

13011

proxy.zscaler.zia.saas_file.json

SaaS Security Logs - ITSM

13012

proxy.zscaler.zia.saas_itsm.json

SaaS Security Logs - Repository

13013

proxy.zscaler.zia.saas_respository.json

Although you can customize your own ports according to your needs, keep in mind that you should always use the tag indicated for each NSS feed.

How to define a new Devo Relay rule

  1. Log into your Devo account.

  2. Go to Administration → Relays and click the relay name to pen the relay details window to the Relay Input (Rules) tab.

  3. To set up a new rule, click the Add Rule button.

  4. The Rule Definition window opens. Set up your new rule:

    1. Type a unique Rule name to your new rule.

    2. (optional) Although the Description is not mandatory, it is a good practice.

    3. Identify the Source port on which the relay will receive the inbound events. It is good practice to dedicate a single port to a single event source. Example: If you are setting up the Alarm Feed, you should type 13003

    4. Enter the Devo tag in the Target tag field. For example: if you are setting up the Alarm Feed, you should type proxy.zscaler.zia.alert.syslog 

    5. Select the Sent without syslog tag checkbox.

    6. (optional) Select the Stop processing checkbox if you don't want the event to be subject to any subsequent relay rules. If this is the only rule that will run on events received on the specified port, this is not necessary.

    7. Click on ADD RULE to save the new relay rule.

  5. When your rules are ready, click on APPLY CONFIGURATION to send the updates to Devo Relay.


Your rule/s will be activated in your relay in no time.