Document toolboxDocument toolbox

Scenario 4: Assign dynamic Devo tag using inbound source data

Some Devo tags are designed to take information directly from the inbound event and use it as a level of the Devo tag. This is often done when the information is helpful in classifying the event type or source. Using this information, Devo can either generate separate tables for different event types or just capture the information and save it in an additional field in a single table.   

Depending on how the data source generates the events, the information that you reuse in the Devo tag can be located anywhere in the syslog header or message. 

To learn how to reuse an event's syslog tag in the Devo tag, see Scenario 5.

In order to do this, you need to build a regular expression that describes the part of the event that contains the information you want to use in the tags. Each piece of information that you want to use in the tags should be set up as a capturing group in the expression. 

Create the rule

  1. Identify the Source port on which the relay will receive the inbound events. Again, it is a best practice to dedicate a single port to a single event source.

  2. Enter the regular expression in the Source message, Source data or Source tag field. 

  3. In the Target tag field, enter the root tag and use the Devo backreferences to call upon the capturing groups defined in the Source field to complete additional levels of the full tag.

Take for example...

A good example of when this method is used to assign Devo tags is with log events generated by Fortinet products running on FortiOS. All FortiOS events have a header that contains a series of fields including a type and subtype which together help to classify the event content. The rule below uses the regular expression in the Source data field to evaluate the events that arrive to relay port 13003. Then, the Target tag is specified using backreferences for the third and fourth levels of the tag.  The Devo backreference \\d0 in the Target message field specifies that the entire syslog message should be sent to Devo exactly as it was received by the relay. 

Since there are several possible values for the type and subtype fields in the event header, this one rule handles the processing of all kinds of firewall events applying the different Devo tags dynamically.

 



Related articles