1. Parse the message as a syslog message (unless message parsing is explicitly disabled for the source).

  2. Classify the message using a pattern database.

  3. Modify the message using rewrite rules (before filtering).

  4. Filter the messages, for example, based on sender hostname or message content. If the message does not match the configured filter, SSB will not send it to the destination.

  5. Parse the text of the message (that is, the ${MESSAGE} part) using a key-value parser or the sudo parser.

  6. Modify the message using rewrite rules (after filtering and other parsing).

  7. SSB sends the message to the destinations set in the logpath. The destinations are local, optionally encrypted files on SSB, or remote servers, such as a database server.