Routing options for rules
You can choose from four rule routing options: Forward, Drop, Bypass correlation, and Log Only. The following table describes the different options and how to use them.
| Routing type | Description |
|---|---|
| Forward | Data is forwarded to the specified forwarding destination. Data is also stored in the database and processed by the Custom Rules Engine (CRE). |
| Drop | Data is dropped. The data is not stored in the database and is not processed by the CRE. This option is not available if you select the Offline option. Any events that are dropped are credited back 100% to the license. |
| Bypass Correlation | Data bypasses CRE, but it is stored in the database. This option is not available if you
select the Offline option. The Bypass correlation option does not require an entitlement for QRadar® Data Store. Bypass correlation allows events that are received in batches to bypass real-time rules. You can use the events in analytic apps and for historical correlation runs. For historical correlation runs, the events can be replayed as though they were received in real time. |
| Log Only (Exclude Analytics) | Events are stored and flagged in the database as Log Only and bypass
CRE. These events are not available for historical correlation, and are credited back 100% to the
license. This option is not available for flows or if you select the Offline
option. The Log Only option requires an entitlement for QRadar Data Store. After the entitlement is purchased and the Log Only option is selected, events that match the routing rule are stored to disk and are available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs. Some apps will also ignore Log Only events (https://www-ibm.com/support/docview.wss?uid=swg22009471). |
| Routing combination | Description |
|---|---|
| Forward and Drop | Data is forwarded to the specified forwarding destination. Data is not stored in the database and is not processed by the CRE. Any events that are dropped are credited back 100% to the license. |
| Forward and Bypass Correlation | Data is forwarded to the specified forwarding destination. Data is stored in the database, but it is not processed by the CRE. |
| Forward and Log Only (Exclude Analytics) | Events are forwarded to the specified forwarding destination. Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. |
If data matches multiple rules, the safest routing option is applied. For example, if data that matches a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped. Instead, the data bypasses the CRE and is stored in the database.