Configuring Routing Rules to Forward Data
Forward data by configuring filter-based routing rules.
You can configure routing rules to forward data in either online or offline mode:
In Online mode, your data remains current because forwarding is done in real time. If the forwarding destination becomes unreachable, any data sent to that destination is not delivered, resulting in missing data on that remote system. To ensure that delivery is successful, use offline mode.
In Offline mode, all data is first stored in the database and then sent to the forwarding destination. This mode ensures that no data is lost; however, delays in data forwarding can occur.
- On the navigation menu (), click Admin to open the admin tab.
- In the System Configuration section, click Routing Rules.
- On the toolbar, click Add.
- In the Routing Rule window, type a name and description for your routing rule.
- In the Mode field, select one of the following options: Online or Offline.
- In the Forwarding Event Collector or Forwarding
Event Processor list, select the event collector from which
you want to forward data.
Learn more about the forwarding appliance:
Forwarding Event Collector - Specifies the Event Collector that you want this routing rule to process data from. This option displays when you select the Online option.
Online/Realtime forwarding is not impacted by any Rate Limit or Scheduling configurations that might be configured on a Store and Forward event collectors.
Forwarding Event Processor - Specifies the Event Processor that you want this routing rule to process data from. This option is displayed when you select the Offline option.
This option is not available if Drop is selected from the Routing Options pane.
- In the Data Source field, select which data source you
want to route: Events or Flows.
The labels for the next section change based on which data source you select.
- Specify which events or flows to forward by applying filters:
To forward all incoming data, select the Match All Incoming Events or Match All Incoming Flows check box.
If you select this check box, you cannot add a filter.
To forward only some events or flows, specify the filter criteria, and then click Add Filter.
- Specify the routing options to apply to the forwarded
Optional: If you want to edit, add, or delete a forwarding destination, click the Manage Destinations link.
To forward log data that matches the specified filters, select the Forward check box and then select the check box for each forwarding destination.
If you select the Forward check box, you can select only one of these check boxes: Drop, Bypass Correlation, or Log Only.
Learn more about routing options:
The Forward option specifies that data is forwarded to the specified forwarding destination. Data is also stored in the database and processed by the Custom Rules Engine (CRE).
The Drop option specifies that data is dropped. The data is not stored in the database and is not processed by the CRE. This option is not available if you select the Offline option. Any events that are dropped are credited back 100% to the license.
The Bypass Correlation option specifies that data bypasses CRE, but it is stored in the database. This option is not available if you select the Offline option.
The Log Only (Exclude Analytics) option specifies that events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available for flows.
The Log Only option requires a license for JSA Data Store. After the license is applied and the Log Only option is selected, events that match the routing rule will be stored to disk and will be available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs.
You can combine three options:
Forward and Drop
Data is forwarded to the specified forwarding destination. Data is not stored in the database and is not processed by the CRE.
Forward and Bypass Correlation
Data is forwarded to the specified forwarding destination. Data is also stored in the database, but it is not processed by the CRE. The CRE at the forwarded destination processes the data.
Forward and Log Only (Exclude Analytics)
Events are forwarded to the specified forwarding destination in online mode. Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available in offline mode.
If data matches multiple rules, the safest routing option is applied. For example, if data that matches a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped. Instead, the data bypasses the CRE and is stored in the database.
- Click Save.