Processing rules filter and can forward data sent to Sumo Logic from a Source. The rules affect only the data sent to Sumo Logic; logs on your end remain intact and unchanged. Data filtered by a Collector using Processing Rules does not count towards your daily data volume quota. Filtered data is fed to the Collector, but does not upload to the Sumo Logic cloud. You can apply any of the following rules:
- Exclude messages that match. Remove messages that you don't want to send to Sumo Logic at all ("blacklist" filter). These messages are skipped after reaching the Source and are not uploaded to Sumo Logic.
- Include messages that match. Send only the data you'd like in your Sumo Logic account (a "whitelist" filter). This type of rule can be useful, for example, if you only want to include only messages coming from a firewall.
- Hash messages that match. Replace a message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it's fully hidden.
- Mask messages that match. Replace an expression with a mask string that you can customize—this is another option to protect data, such as passwords, that you wouldn't normally track.
- Forward messages that match. Send data from an Installed Collector Source to a selected non-Sumo location. See Configure Data Forwarding Destinations for instructions on setting up the Data Forwarding destinations.
- Exclude, include, hash, and mask rules can process single line logs up to 1MB and multiline logs up to 2,000 lines or 512KB, whichever comes first.
- The maximum number of Processing Rules allowed on a Source is 100.
How do Processing Rules Work Together?
You can create one or more processing rules for a Source, combining the different types of filters to generate the exact data set you want sent to Sumo Logic. When a Source has multiple rules they are processed in the following order: includes, excludes, masks, then forwarders.
Rules work together as follows:
- Data forwarding rules are processed after all other processing rules.
- Exclude rules override all other types for a specific value. If you're excluding a value, it won't be sent to the Sumo Logic Cloud so it can't be hashed or masked.
- Mask and hash rules are applied after exclusion and inclusion rules to ensure that the inclusion rule sees log lines in their original state (rather than a log line with some values hidden).