You can create a filter-based event routing rule and then assign one or more configured actions that are executed to handle or output the events that meet the event routing rule criteria.
From, click .
Click, then use the following information to create a new event routing rule:
Name: Specify a unique name for the event routing rule.
Filter: Select a saved filter to use in creating event routing rule. This filter determines which events are stored in the event store. For more information, see Sentinel User Guide.
Route to the following services: Select where the information is routed. The options are:
All: Routes the event to all services including Correlation, Security Intelligence, and Anomaly Detection.
Event store only: Routes the event to the event store only.
This option is not applicable for Sentinel Scalable Data Manager. The option to route only specific events for correlation is available in the Correlation Engine. For more information, see Sentinel User Guide.
None (drop): Drops or ignores the events.
Perform the following actions: (Optional) Select an action to be performed on every event that meets the filter criteria. The following default actions are available for event routing rules:
Log to File: For configuration information, see Configuring the File Integrator.
Log to Syslog: For configuration information, see Configuring the Syslog Integrator
Send Events via Sentinel Link: For configuration information, see Configuring the Sentinel Link Integrator.
Send SNMP Trap: For configuration information, see Configuring the SNMP Integrator.
For the actions to work, you must have configured the Integrator associated with each action for your environment.
The actions listed here are different than the actions displayed in the <EventRouting> attribute in the package.xml file created by the developer.tab in the Sentinel Main interface, and are distinguished by the
Adding or Removing Actions: You can add more than one action to perform on the events that meet the filter criteria:
Click to select additional actions to be performed.
Click to remove the selected action for this event routing rule.
Clickto save the event routing rule.
The newly created event routing rule appears at the end of the rules list under thetab. By default, this new event routing rule is active.