The following walk-through illustrates how to create a simple Rule in Kiwi Syslog Server
In the following scenario, we will be creating a rule that will stop processing any unwanted syslog messages.

Create a new rule

Click on the Kiwi Syslog Server  'Setup' icon.

Select 'Rules' node of tree (if not already selected).

Click on 'Create new item' icon. This will create the new Rule.

This will create a new Rule named 'New Rule', which doesn't yet have any filters or actions assigned to it.

Type in or rename the rule name:

Note: How to rename Rules, Filters and Actions in Kiwi Syslog Server Using the toolbar OR Using the context menu

Assign filters

In this scenario, we will be creating a Rule that will Stop processing any unwanted syslog messages. "Unwanted messages"
will be identified as any message received from one host in particular (identified by it's IP Address), which contains
'ppp connected' or 'ppp disconnected' in the Message text.

1. The IP Address Filter

In the newly created Rule, select the 'Filters' node (if it is not already selected).

Click on 'Create new item' icon. This will create the new Filter.

Type in the new filter name:

The purpose of the first filter is to identify messages that have been sent by one host in particular. In this example, we know
the IP Address of the host, so select 'IP Address' from the Fields drop down, as follows:



With the Field set to 'IP Address', select the filter type 'Simple' from the 'Filter Type' drop-down box.
This will ensure that we are using simple text based matching of our IP Address.

In the 'Include' text-box, type in the IP Address of the host that we are no longer interested in receiving messages from.
The IP Address needs to be in double-quotes, as follows:

2. The Message-text Filter

Once again, select the 'Filters' node (if it is not already selected).

Click on 'Create new item' icon. This will create another Filter.

Type in new filter name:



The purpose of the second filter is to identify messages that have 'ppp connected' or 'ppp disconnected' in the message text.
In this example, we know we need to filter on the Message text, so select 'Message text' from the Fields drop down, as follows:



With the Field set to 'Message text', select the filter type 'Simple' from the 'Filter Type' drop-down box.
This will ensure that we are using simple text based matching of our Message text.



In the 'Include' text-box, type in "ppp connected" "pppdisconnected".

Each search item to include must be in double-quotes. By including multiple quoted search strings, it is possible
to match "ppp connected" OR "ppp disconnected".
eg. "ppp connected" "ppp disconnected" matches on either "ppp connected" or "ppp disconnected".

If you want to test the filters, you can use the 'test' button. More information on how to use the test system can be
found at: HOW TO: Use the Test button to test your filters and actions

Assign the Action

Select the 'Actions' node of the new rule (if it is not already selected).

Click on 'Create new item' icon. This will create the new Action.

Type in the Action name:

Select 'Stop processing message' from the Action drop-down box.

Change the precedence of the new Rule

To change the precedence of any rule, use the Up/Down arrows in the toolbar. In this scenario, the
'Remove Unwanted Messages' needs to be placed before the log and display (Default) rules.
Otherwise, it doesn't have any effect (since rules are processed from top to bottom).

When the rule is in place and is selected, it should look like this:


Click the 'Apply' button to apply the changes. The 'Remove Unwanted Messages' Rule will be processed from now on.

Click the 'OK' button to close the Setup window, and return to the Kiwi Syslog Daemon main display.