10.1 Creating an Event Routing Rule

You can create a filter-based event routing rule and then assign one or more configured actions that are executed to handle or output the events that meet the event routing rule criteria.

From Sentinel Main, click Routing.
Click Create, then use the following information to create a new event routing rule:

Name: Specify a unique name for the event routing rule.

Filter: Select a saved filter to use in creating event routing rule. This filter determines which events are stored in the event store. For more information, see Configuring Filters in the Sentinel User Guide.

Select tag: (Optional) Select a tag for tagging the filter. The tag makes the filter more specific. For more information, see Configuring Tags in the Sentinel User Guide.

Route to the following services: Select where the information is routed. The options are:
- All: Routes the event to all services including Correlation, Security Intelligence, and Anomaly Detection.
- Event store only: Routes the event to the event store only.
  
  This option is not applicable for Sentinel Scalable Data Manager. The option to route only specific events for correlation is available in the Correlation Engine. For more information, see Distributing Events Across Correlation Engines in the Sentinel User Guide.
- None (drop): Drops or ignores the events.
Perform the following actions: (Optional) Select an action to be performed on every event that meets the filter criteria. The following default actions are available for event routing rules:
- Log to File: For configuration information, see Configuring the File Integrator.
- Log to Syslog: For configuration information, see Configuring the Syslog Integrator
- Send Events via Sentinel Link: For configuration information, see Configuring the Sentinel Link Integrator.
- Send SNMP Trap: For configuration information, see Configuring the SNMP Integrator.
NOTE:When you associate an action with routing rules, ensure that you write rules that match a small percentage of events, if the rule triggers a Javascript action. If the rules trigger actions frequently, the system might backlog the actions framework. This can slow down the EPS and might affect the performance of the Sentinel system. If the rule triggers non-Javascript actions like Sentinel Link, then there is no limitation.

For the actions to work, you must have configured the Integrator associated with each action for your environment.

The actions listed here are different than the actions displayed in the Event Actions tab in the Sentinel Main interface, and are distinguished by the <EventRouting> attribute in the package.xml file created by the developer.

Adding or Removing Actions: You can add more than one action to perform on the events that meet the filter criteria:
- Click to select additional actions to be performed.
- Click to remove the selected action for this event routing rule.
Click Save to save the event routing rule.

The newly created event routing rule appears at the end of the rules list under the Event Routing Rules tab. By default, this new event routing rule is active.