...
- The first rule that matches will handle the event. All upcoming rules will not be checked at all. Thus, the order of your rules is important. The most common rule (in our case, the "unknown" rule) has to be last.
- Some rules might be moved up and down independently because they have an explicit pattern or other conditions defined. In that case, put those rules that are used most to the top. This will increase your "rule hit ratio" and, thus, the performance of the Event Console.
- To further increase the performance, place a dropping rule on the top of your list that drops all events that don't match the syslog facility you have defined in your forwarding rule.
After that, your rule pack should look similar to this:
...