Sentinel provides multiple options for routing, storing, and extracting the collected data. By default, Sentinel receives the parsed event data and the raw data from the Collector Managers. Sentinel stores the raw data to provide a secure evidence chain and routes the parsed event data according to the rules you define. You can filter the parsed event data, send it to storage or to real-time analytics, and route it to external systems. Sentinel further matches all the event data that is sent to storage to user-defined retention policies. The retention policies control when event data should be deleted from the system.
Depending on the events per second (EPS) rate and your deployment requirements, you can choose to use the traditional, file-based data storage or the Hadoop-based scalable storage as the data storage option. For more information, see Data Storage Considerations.