Configuring Routing Rules to Use the JSA Data Store
A new offering, JSA Data Store, normalizes and stores both security and operational log data for future analysis and review. The offering supports the storage of an unlimited number of logs without counting against your organization’s Events Per Second JSA license, and enables your organization to build custom apps and reports based on this stored data to gain deeper insights into your environments.
Using the Log Only (Exclude Analytics) option requires entitlement for JSA Data Store, but is not currently enforced. In the future, when entitlement is enforced, access to the collected event data will be restricted to properly licensed systems. When the license is applied and the Log Only (Exclude Analytics) option is selected, events that match the routing rule will be stored to disk and will be available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs
- On the navigation menu (), click Admin.
- In the System Configuration section, click Routing Rules.
- On the toolbar, click Add.
- In the Routing Rule window, type a name and description for your routing rule.
- In the Mode field, select Online.
- In the Forwarding Event Collector list, select the event collector on which you want to apply the Log Only (Exclude Analytics) option.
- In the Data Source field, select Events.
- Specify which events to apply the Log Only (Exclude
Analytics) option to by applying filters:
To apply the Log Only (Exclude Analytics) option to all incoming data, select the Match All Incoming Events check box.
If you select this check box, you cannot add a filter.
To apply the Log Only (Exclude Analytics) option to only some events, specify the filter criteria, and then click Add Filter.
- To apply the Log Only (Exclude Analytics) option
to log data that matches the specified filters, select Log Only
The Log Only (Exclude Analytics) option specifies that events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available for flows.
You can combine the Forward and Log Only (Exclude Analytics) options. Events are forwarded to the specified forwarding destination in online mode. Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available in offline mode.
If data matches multiple rules, the safest routing option is applied. For example, if data that matches a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped. Instead, the data bypasses the CRE and is stored in the database.
- Click Save.