How to prevent correlated events from being created.

By default the Sentinel Correlation Engine creates and publishes an event when a correlation rule matches its defined conditions.  These events do not usually make up a significant percentage of the data stored in the database but depending on the requirements of the correlation rules they could end up causing twice the data storage requirements as the events without correlation rules in place (if the correlation rules match each event sent through Sentinel).  If the event is not desired when a correlation rule fires then disabling the publication of the events may be a valid option.

Modify $ESEC_HOME/config/correlation_engine.xml adding the following directly beneath the <obj-container name="Correlation_Engine"> tag:

<obj-component id="CorrelatedEventPublisher">
 <class>esecurity.ccs.comp.correlation.CorrelatedEventPublishComp</class>
  <property name="correlation.event.publish">false</property>
</obj-component>

Restart the Correlation Engine's Sentinel services to apply the change.  All Correlation Rules on that machine should no longer generate correlated events.

Note: This prevents all correlated events, even explicitly created events, from coming from the entire Correlation Engine machine on which this setting is implemented.  Other Correlation Engines will not be affected by this change.

Note: Performance of the overall Sentinel system in general and the Correlation Engine specifically will not be affected.  The Correlation Rule still fires and the event is still created but with this setting it is not published to the rest of the system.

Note: Statistics for the Correlation Engine should not be affected by this change.  The count of times the rule and/or action has fired should increment normally.  These can still be reliably used to determine if a correlation rule is executing as events that trigger it are processed.