Question & Answer
Question
What is the precedent in routing rules options?
Answer
Routing rule is a feature that allows the user to enact different actions on events. To access the routing rules menu, follow these steps:
- On the navigation menu, click Admin
- In the System Configuration section, click Routing Rules
To learn more about how to create routing rules, read the following article:
Configuring routing rules to forward data
Configuring routing rules to forward data
Routing rule have 4 options of action to use on events:


To learn more about each option and the possible combination, read the following article:
Routing rule options have a hierarchy in which rules with higher priority overwrite other rules that target the same events. The precedence is, from highest to lowest priority, as follows:
- Forward + Bypass Correlation: Data is forwarded to the specified forwarding destination. Data is also stored in the database, but it is not processed by the Custom Rules Engine (CRE).
- Forward + Log Only: Events are forwarded to the specified forwarding destination. Events are stored and flagged in the local QRadar database as Log Only and Custom Rules Engine (CRE) is bypassed.
- Forward: Data is forwarded to the specified forwarding destination. Data is also stored in the database and processed by the Custom Rules Engine (CRE).
- Forward + Drop: Data is forwarded to the specified forwarding destination. Data is not stored in the database and is not processed by the Custom Rules Engine (CRE).
- Bypass Correlation: Data bypasses Custom Rules Engine (CRE), but it is stored in the database.
- Log Only: Events are stored and flagged in the database as Log Only and bypass Custom Rules Engine (CRE). These events are not available for historical correlation, and are credited back 100% to the license.
- Drop: The data is not stored in the database and is not processed by the Custom Rules Engine (CRE). Any events that are dropped are credited back 100% to the license.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 September 2022
UID
ibm16618809