Skip to main content
Sumo Logic

Include and Exclude Rules

You can use include and exclude processing rules to specify what kind of data is sent to Sumo Logic.

If you specifically exclude a message, it functions as a blacklist filter, and the data will never be sent to Sumo Logic.

Include filters are whitelist filters, which can be useful when the list of log data you want to send to Sumo Logic is easy to filter. You can set up a whitelist filter instead of setting up exclude filters for all of the types of messages you'd like to exclude. For example, to include only messages coming from a Cisco ASA firewall, you could use the following:

Include filter

Rules and Limitations

When writing regular expression rules, you must follow these rules:

  • Your rule must be RE2 compliant.

  • Your rule must match the entire message, from the start to the end of any log message rather than addressing only a section.

  • For single line messages, you must prefix and suffix the regex expression with .* if the matching string pattern is not at the beginning or end of the line. For example, if you want to exclude any message containing the words "secure" or "security", write the rule:


  • For multiline messages, add single line modifiers (?s) to the beginning and end of the expression to simplify matching your string, regardless of where it occurs in the message. For example, if you want to exclude any Windows Event message containing the Event Code 5156, write the rule like this:

    (?s).*EventCode = 5156.*(?s)

  • Syslog UDP messages may contain a trailing newline character, which will require the above regular expression to properly match your string.

  • Exclude rules always take precedence over include rules.

  • If two or more rules are listed, the assumed Boolean operator is OR.

  • The Name of your processing rule must be less than 32 characters.

  • A rule will process single line log messages until 1MB of data is processed and multiline log messages until 2,000 lines or 512KB of data is processed, whichever comes first. Once these limits are reached the processing rule will ignore the rest of the log message and move on to the next log.