Configuring routing rules to forward data

Forward data by configuring filter-based routing rules.

About this task

You can configure routing rules to forward data in either online or offline mode:
  • In Online mode, your data remains current because forwarding is done in real time. If the forwarding destination becomes unreachable, any data that is sent to that destination is not delivered, resulting in missing data on that remote system. To ensure that delivery is successful, use offline mode.
  • In Offline mode, all data is first stored in the database and then sent to the forwarding destination. This mode ensures that no data is lost; however, delays in data forwarding can occur.
Restriction: QRadar® on Cloud users must open a support ticket to forward data to other systems. For more information, see QRadar on Cloud work items that require a support ticket.


  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Routing Rules.
  3. On the toolbar, click Add.
  4. In the Routing Rule window, type a name and description for your routing rule.
  5. In the Mode field, select one of the following options: Online or Offline.
  6. In the Forwarding Event Collector or Forwarding Event Processor list, select the event collector from which you want to forward data.
    Learn more about the forwarding appliance:
    Forwarding Event Collector
    Specifies the Event Collector that you want this routing rule to process data from. This option displays when you select the Online option.
    Note: Online/Realtime forwarding is not impacted by any Rate Limit or Scheduling configurations that might be configured on a Store and Forward (15xx) event collectors.
    Forwarding Event Processor
    Specifies the Event Processor that you want this routing rule to process data from. This option is displayed when you select the Offline option.
    Restriction: This option is not available if Drop is selected from the Routing Options pane.
  7. In the Data Source field, select which data source you want to route: Events or Flows.

    The labels for the next section change based on which data source you select.

  8. Specify which events or flows to forward by applying filters:
    1. To forward all incoming data, select the Match All Incoming Events or Match All Incoming Flows checkbox.
      Restriction: If you select this checkbox, you cannot add a filter.
    2. To forward only some events or flows, specify the filter criteria, and then click Add Filter.
  9. Specify the routing options to apply to the forwarded data:
    1. Optional: If you want to edit, add, or delete a forwarding destination, click the Manage Destinations link.
    2. To forward log data that matches the specified filters, select the Forward checkbox and then select the checkbox for each forwarding destination.
      Restriction: If you select the Forward checkbox, you can select only one of these check boxes: Drop, Bypass Correlation, or Log Only.
      For more information, see Routing options for rules.
  10. Click Save.