Kinda need a little more detail than that I am afraid.
A forwarding connector is useful for forwarding log data from either Logger or ESM to a different destination. The usual situations for doing this focus around making sure you can do something with the data received - such as forwarding from Logger to ESM for correlation purposes. Or you can look to forward correlated events from ESM to Logger for long term storage.
There are two different types of forwarder for ESM though - the correlated event forwarder and the standard forwarder. The advantage of using the correlation one is that you get the base events that triggered the correlation in the first place. With the standard forwarder, you just forward the filter matching events only - and if its a correlation event, you don't necessarily get the base events.
There is a discussion around needing the base events when forwarded, but I have always asked customers to consider what they need. For example, if you forward a 'brute force login attempt' correlation, you will have the aggregated data in the event - so the source, username and number of attempts (and hopefully the zone information too). But do you need each of the base events too? You can do the investigation you need based on the source IP and username, so it depends on what you are looking for and why.
Hope this helps.
I read you comment regarding the standard forwarder connector.
I have SC > ESM and Logger. and I need only correlation events to be send to the logger, without the base correlated events.
I have my Fwd User under a Custom User Group with ACL "ArcSight Correlation Events". Is there anything else need to be defined so only the correlation events are being forwarded?
I see, could you please point out the difference in term of implementation for the correlated event forwarder and the standard forwarder, or if you have a document reference, as I couldn't find this information in the guide, and the Fwd Connector is sending the based correlated events which I don't want.