Is there a recommended way to specifically ignore certain handshakefailed (or other internally-generated) errors?
For example, I have a rule set that handles coaching for a specific destination. This site uses SSL. There are certain client programs which will attempt to hit that site, but since they don't have any functionality to handle the coaching page, the handshake fails. The failure is logged.40,000+ times/day.
I was thinking something like this:
Message.TemplateName equals "handshakefailed" AND
User-Agent equals X AND
URL.DestinationIP is in range x.x.x.x/y
Event: Set Log Handler = no logging
I started by trying to set the log handler to one that doesn't log anything, but that wasn't successful because there's nowhere before the Default log handler to insert the rule so that it gets activated.
So what I've implemented is a rule in the base Default log handler that uses the original criteria, but uses action Stop Cycle.
This appears to work. Any reason that I shouldn't do this?
using stop cycle on top of the logs is a suitable way to prevent MWG from logging specific requests. When I want to exclude something I usually do it the same way :-)
Probably it would be an additional benefit to file an SR with support and analyze why the error is thrown so often?
Maybe it would be another option to add a stop ruleset rule to the coaching rule set that disabled coaching for the user-agents that fail. You don't need to skip log file writing for errors that don't happen.