An administrator may deem some messages undesirable, either specific logs produced by a source or a whole source. Such messages may result in CPU/disk resources being expended unnecessarily. Undesired log messages may result in Log Insight's data store being rotated more quickly than desired. In terms of licensing, one may wish to drop log messages from unlicensed sources, restricting sources from which log messages are accepted at all.
Such messages can be filtered out and dropped at ingestion-time according to Log Insight administrator-defined rules. Such rules should be crafted using the same mechanism searches use.
Upon receipt of syslog messages, Log Insight should consult the defined accept/drop rules. Messages should be dropped if they match one or more drop-rules. A count of messages dropped by each rule should be maintained.