Skip to main content
Sumo Logic

Include and Exclude Rules

You can use include and exclude processing rules to specify what kind of data is sent to Sumo Logic.

If you specifically exclude a message, it functions as a blacklist filter, and the data will never be sent to Sumo Logic.

Include filters are whitelist filters, which can be useful when the list of log data you want to send to Sumo Logic is easy to filter. You can set up a whitelist filter instead of setting up exclude filters for all of the types of messages you'd like to exclude. For example, to include only messages coming from a Cisco ASA firewall, you could use the following:

 

Rules and Limitations

When writing regular expression rules, you must follow these rules:

  • You must match the entire message, which often means that you must prefix and suffix the regex expression with .* if the matching string pattern is not at the beginning or end of the line for a single line message, for example:   
    .*EventCode = 5156.*  
  • The rule must match from the start to the end of any log message rather than addressing only a section. For example, if you want to exclude any message containing the words "secure" or "security", write the rule: .*secur.*
  • For multiline messages, add single line modifiers (?s) to the beginning and end of the expression to simplify matching your string, regardless of where it occurs in the message. For example:
    (?s).*secur.*(?s)
  • Syslog UDP messages may contain a trailing newline character, which will require the above regular expression to properly match your string.
  • Exclude rules always take precedence over include rules.
  • If two or more rules are listed, the assumed Boolean operator is OR.
  • The Name of your processing rule must be less than 32 characters.