Hi guys,

We want to drop some events at the EC level before coming to the EP. Is there a method for this, has anyone tried it before?

Thanks in advance

Hi Adem,

It is possible to drop events at the EC level (before the EP) using routing rules in "online" mode.

Although this satisfies your need to drop at the EC, I notice you specified "without routing rules" in your topic; I'm not sure why you want to avoid routing rules, but if for whatever reason you cannot use them, your only other option would be to prevent the events from being ingested at all. This can be handled in multiple ways, depending on the mechanism used to collect the data. Our WinCollect agent can have filters configured such that it only sends certain events. Other syslog sources may have similar filtering capabilities, it depends entirely on what is transmitting the syslog events. Many of our protocols that "pull" event data via various REST APIs, JDBC queries, and so may have filtering capabilities at the query level, but again it depends on the specific integration. Likewise the protocols that use a pub/sub paradigm may have filtering capabilities, or useful data vs unuseful data can be separated at the topic/subscription/eventhub/etc level such that only useful event data can be retrieved.

In short, online routing rules running in the EC are probably your best option, if you are willing to use them. If not, your goal may be doable, but it depends on the details.

Cheers

Colin

Hi guys,

We want to drop some events at the EC level before coming to the EP. Is there a method for this, has anyone tried it before?

Thanks in advance

Hi Colin,

Firstly, thank you for your feedback and detailed answer. The reason we want to avoid using routing roule here is that we think it will overload the system resources on the console. What is your opinion about this?

Hi Adem,

It is possible to drop events at the EC level (before the EP) using routing rules in "online" mode.

Although this satisfies your need to drop at the EC, I notice you specified "without routing rules" in your topic; I'm not sure why you want to avoid routing rules, but if for whatever reason you cannot use them, your only other option would be to prevent the events from being ingested at all. This can be handled in multiple ways, depending on the mechanism used to collect the data. Our WinCollect agent can have filters configured such that it only sends certain events. Other syslog sources may have similar filtering capabilities, it depends entirely on what is transmitting the syslog events. Many of our protocols that "pull" event data via various REST APIs, JDBC queries, and so may have filtering capabilities at the query level, but again it depends on the specific integration. Likewise the protocols that use a pub/sub paradigm may have filtering capabilities, or useful data vs unuseful data can be separated at the topic/subscription/eventhub/etc level such that only useful event data can be retrieved.

In short, online routing rules running in the EC are probably your best option, if you are willing to use them. If not, your goal may be doable, but it depends on the details.

Cheers

Colin

Hi guys,

We want to drop some events at the EC level before coming to the EP. Is there a method for this, has anyone tried it before?

Thanks in advance