Skip to main content

Reroute

Control Flow

Synopsis

Enables dynamic routing of logs to different target systems based on pipeline processing results.

Schema

reroute:
  - destination: <string>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

FieldRequiredDefaultDescription
destinationY-Name of the target system configuration to route to
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseSee Handling Failures
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

The Reroute processor is a powerful feature that allows you to make routing decisions after processing your logs through pipelines.

While basic routing can be configured at the source level, Reroute gives you the ability to implement complex routing logic that depends on multiple conditions or transformations, and to route logs to different destinations based on the content extracted or transformed.

warning

Make sure the destination field matches exactly with a target system name in your configuration. Only one reroute processor will be executed even if there are multiple matches.

The Reroute processor is particularly useful to achieve the following:

  • Security - Parse and normalize logs, enrich with threat intelligence, and route high-risk events to security platforms

  • Compliance - Filter sensitive data, apply transformations, and route them to compliance-mandated destinations

  • Cost reduction - Process high-volume logs, filter out unnecessary data, and route relevant logs to premium storage/analysis platforms

Examples

Microsoft Sentinel

First, define your Sentinel target...

- id: 1
  name: auto_sentinel
  type: sentinel
  properties:
    tenant_id: "00000000-0000-0000-0000-000000000000"
    client_id: "00000000-0000-0000-0000-000000000000"
    client_secret: "your-client-secret"
    rule_id: "dcr-00000000-0000-0000-0000-000000000000"
    endpoint: "https://your-dcr-endpoint"

then use Reroute to send the logs...

pipelines:
  - name: security_pipeline
    processors:
      - grok:
          field: message
          pattern: '%{IPADDR:source_ip}'
      - reroute:
          if: 'source_ip matches "10.0.0.*"'
          destination: auto_sentinel

Conditionals

Process logs, and route them based on the extracted data...

pipelines:
  - name: firewall_logs
    processors:
      - checkpoint:
          field: message
      - reroute:
          if: 'checkpoint.action == "Drop" && checkpoint.severity >= 3'
          destination: high_priority_sentinel
      - reroute:
          destination: standard_sentinel

using different target configurations:

- id: 1
  name: high_priority_sentinel
  type: sentinel
  properties:
    tenant_id: "tenant1"
    # ... high priority
    
- id: 2
  name: standard_sentinel
  type: sentinel
  properties:
    tenant_id: "tenant2"
    # ... standard

Multi-Stage

Process logs through multiple stages before routing...

pipelines:
  - name: complex_processing
    processors:
      - json:
          field: message
      - grok:
          field: parsed_message
          pattern: '%{DATA:app_name}'
      - user_agent:
          field: user_agent
      - geoip:
          field: ip_address
      - reroute:
          if: 'geoip.country_code not in ["US", "CA"] && app_name == "core_banking"'
          destination: security_analytics
      - reroute:
          destination: standard_logs