Sentinel receives two separate but similar data streams from the Collector Managers: raw data and event data.
Raw Data
Raw data files are unprocessed events received by the Connector and sent directly to the Sentinel message bus.This data is written to the Sentinel server. Sentinel receives all raw data without being filtered. When the event is sent to the message bus, the following additional information is also sent without altering the original event:
SHA-256 hash of the event
Chaining indicator, which is reset to 0 whenever the Sentinel event source is restarted
Raw Data ID (in s_rv25)
Event source, Connector, Collector, and Collector Manager node IDs
Because the raw data is not searched or used to generate reports, the data is not indexed.
Event Data
Event data is created as a result of a Collector parsing and normalizing raw data.
You can set filtering rules on the event source, Connector, and Collector, which selectively prevent the Collector from parsing raw data. Filtering rules avoid the overhead of parsing and normalizing data you do not need for further processing or analysis, and free up hardware resources for more important tasks. These rules do not affect the storage of the raw data. However, event data can be dropped after it is created by the parsing and normalization logic of the Collector by configuring an event routing rule to selectively drop the event data. This is useful when it is more convenient to define the rule on normalized data rather than non-normalized (raw) data. For more information, see Section 10.0, Configuring Event Routing Rules.
This section provides information about how you must configure your data storage to collect and store raw data and event data.