Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Routing Rules to Forward Data

Forward data by configuring filter-based routing rules.

You can configure routing rules to forward data in either online or offline mode:

  • In Online mode, your data remains current because forwarding is done in real time. If the forwarding destination becomes unreachable, any data that is sent to that destination is not delivered, resulting in missing data on that remote system. To ensure that delivery is successful, use offline mode.

  • In Offline mode, all data is first stored in the database and then sent to the forwarding destination. This mode ensures that no data is lost; however, delays in data forwarding can occur.

  1. On the navigation menu (), click Admin.
  2. In the System Configuration section, click Routing Rules.
  3. On the toolbar, click Add.
  4. In the Routing Rule window, type a name and description for your routing rule.
  5. In the Mode field, select one of the following options: Online or Offline.
  6. In the Forwarding Event Collector or Forwarding Event Processor list, select the event collector from which you want to forward data.

    Learn more about the forwarding appliance:

    • Forwarding Event Collector - Specifies the Event Collector that you want this routing rule to process data from. This option displays when you select the Online option.

      Note:

      Online/Realtime forwarding is not impacted by any Rate Limit or Scheduling configurations that might be configured on a Store and Forward event collectors.

    • Forwarding Event Processor - Specifies the Event Processor that you want this routing rule to process data from. This option is displayed when you select the Offline option.

      Note:

      This option is not available if Drop is selected from the Routing Options pane.

  7. In the Data Source field, select which data source you want to route: Events or Flows.

    The labels for the next section change based on which data source you select.

  8. Specify which events or flows to forward by applying filters:

    1. To forward all incoming data, select the Match All Incoming Events or Match All Incoming Flows checkbox.

      Note:

      If you select this checkbox, you cannot add a filter.

    2. To forward only some events or flows, specify the filter criteria, and then click Add Filter.

  9. Specify the routing options to apply to the forwarded data:

    1. Optional: If you want to edit, add, or delete a forwarding destination, click the Manage Destinations link.

    2. To forward log data that matches the specified filters, select the Forward checkbox and then select the checkbox for each forwarding destination.

      Note:

      If you select the Forward check box, you can select only one of these check boxes: Drop, Bypass Correlation, or Log Only.

  10. Click Save.

Routing options for rules

You can choose from four rule routing options: Forward, Drop, Bypass correlation, and Log Only. The following table describes the different options and how to use them.

Table 1: Rule Routing Options

Routing type

Description

Forward

Data is forwarded to the specified forwarding destination. Data is also stored in the database and processed by the Custom Rules Engine (CRE).

Drop

Data is dropped. The data is not stored in the database and is not processed by the CRE. This option is not available if you select the Offline option. Any events that are dropped are credited back 100% to the license.

Bypass Correlation

Data bypasses CRE, but it is stored in the database. This option is not available if you select the Offline option.

The Bypass correlation option does not require an entitlement for JSA Data Store. Bypass correlation allows events that are received in batches to bypass real-time rules. You can use the events in analytic apps and for historical correlation runs. For historical correlation runs, the events can be replayed as though they were received in real time.

Log Only (Exclude Analytics)

Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available for flows or if you select the Offline option.

The Log Only option requires an entitlement for JSA Data Store. After the entitlement is purchased and the Log Only option is selected, events that match the routing rule are stored to disk and are available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs.

The following table describes different routing option combinations that you can use. These options are not available in offline mode.

Table 2: Rule Routing Combination Options

Routing combination

Description

Forward and Drop

Data is forwarded to the specified forwarding destination. Data is not stored in the database and is not processed by the CRE. Any events that are dropped are credited back 100% to the license.

Forward and Bypass Correlation

Data is forwarded to the specified forwarding destination. Data is stored in the database, but it is not processed by the CRE.

Forward and Log Only (Exclude Analytics)

Events are forwarded to the specified forwarding destination. Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license.

If data matches multiple rules, the safest routing option is applied. For example, if data that matches a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped. Instead, the data bypasses the CRE and is stored in the database.

Related Documentation